Physical locks don't help with the dancing bunnies attack.
This is why places are moving towards solutions that combine the physical security with taking root/Administrator/QSECOFR authority away from the end user. It stops Joe Sixpack from installing yet another Trojanized "pr0n viewer".
NWN1 is one of the few games that actually didn't suck. Bioware yanked all DRM except the CD key needed to get to use the multiplayer servers (which is perfectly acceptable), and supported the game for a very long time with not just fixes, but additional content.
It is sad to see this hacked -- one could easily get thousands of hours of entertainment with NWN1 just due to well written player made modules.
I wish the hackers could have nailed some game company that puts out crap instead of a game which has aged quite well and is actually still worth playing.
Instead of another lightweight car with no productive use other than showing off drag coefficients in a wind tunnel, how about we see improvements in where the reward is the best?
Most cars have decent fuel economy. We need to not fret on getting 40 mpg from a 30mpg car. Instead, we need to see about squeezing 12-15 mpg from something that has 10mpg. Ford's turbocharged [1] V6 in the full sized trucks is one example -- getting something fuel thirsty as a pickup and adding some decent economy gains will save a lot more fuel in the long run than concept small cars.
Car companies need to show off heavy duty pickups and other boring but needed fleet vehicles that have energy saving features, but can still tow/haul/drag/carry the loads needed. For example, turbo diesel engines. This isn't a new technology, but it would be nice to see car makers offer this across the entire line of pickups, not just the heavy duty models.
[1]: 5psi boost -- not that great, but enough to overcome the HP loss in high altitudes that normally aspirated engines suffer from.
On average, 200 miles is enough for most people. However, emergencies happen. I might have to go pick up someone, then hit the bank. Or I might be so frazzled from a day of picking up stray inodes that I forget to plug the vehicle in for a charge. Then, I'm screwed because there are no real ways to charge an electric vehicle outside of the specially designed housing installed at home.
The Volt is a good start. However, what GM needs to do is put the big R&D dollars into the Silverado Hybrid and the Tahoe Hybrid. The Silverado is their top selling vehicle, and if they can do well selling those, they will make a larger profit than yet another compact car. The real gas savings overall are the pickups and SUVs that get MPG in the low teens. Not compact cars, which some of them (the VW diesels) are as good as one is going to get without some revolution in engine design.
A hybrid GMC 3500 costs a pretty penny, but companies and fleets would buy it just for the PR. If done right, it would have some awesome side features too, such as being able to run some serious hardware via an inverter off the batteries, or use the vehicle as an effective/efficient emergency generator.
A hybrid pickup truck with high wattage inverter capabilities would be a boon to RV-ers. Plug your 30 amp or 50 amp line into the pickup truck when boondocking, when the batteries get low, fire up the engine, then if the vehicle's gas tank gets below a certain amount (say 10 gallons but needs to be user-settable), shut the generator off.
You hit the nail on the head. There are audio units that have dolphins swimming on the display, but trying to find truly serious head units is very difficult.
I would like to see a head unit that can do what the Ford SYNC unit can. It handles Bluetooth calls via a mic mounted near the visor, can handle a USB attached hard disk for a music stash, plays well with iPods, iPhones, and Android devices, and has very good voice operated controls (voice dialing, getting traffic/news reports, etc.) Navigation is possible with or without a large display via voice.
Preferably a head unit that can come in single DIN and double DIN sizes. Single DIN can have the CD mechanism being placed somewhere else in the vehicle and sport a decent iPod/iPhone dock.
Apple would seize the audio market by force just because the competition is so lousy -- the only real competitor is Alpine, maybe Sony (haven't not seen what they are doing), and what audio heads ship with the vehicle from the carmaker. Especially if Apple puts 3G communication in the audio head and has streaming via iCloud.
I can easily imagine a program like this existing, perhaps being forced on us as with an anti-hacker law. It would end up running either at the BIOS or the hypervisor level, and reinstalling itself similar to LoJack for Laptops. It essentially scans and acts like an antivirus program on Windows, including chewing up CPU and I/O resources.
However, it hunts down signatures of suspect files, and not just removes them, but phones home to have the computer owner arrested on the spot.
Of course, disabling it won't be an option. Locked down OSes, hardware DRM stacks, and NAC going from the end user's router all the way to the core peerers will take care that only "trusted" devices have Internet access.
It really boils down to who had the deeper pockets. mp3.com was just a spot on the RIAA's shoe, while Google, Amazon, or Apple would actually give them a run for their money.
I wish mp3.com didn't go with the locker service... it was a great site for finding new bands... and there isn't really much in that department nowadays, other than last.fm and Pandora. It would be nice to have a site with a decent metal selection that doesn't have the same warmed over top 100 artists, and proper sub-genres.
Bingo. A few years back, we had some decent choices for a MP3 player with a decent capacity, from the Zune, to many others. Drivers? Plug it in, it mounts as a USB flash drive, copy files, unmount, and call it done.
Now, there are no real MP3 players with any capacity beyond like 6 gig, and the only MP3 player with 100+ gigs of capacity is the iPod Classic.
Of course, like described above, there are the "portable media players", but if I want to watch video on my MP3 player, I would buy a Galaxy Tab, iPad, or an iPod Touch. There is a market niche for this type of device -- just audio and a high capacity HDD. I just hope Apple doesn't can their iPod Classic anytime soon.
Take an average server. It belongs to the cloud provider, and clients store their data using the server as a head, and the backend SAN for the actual storage. The cloud provider tanks. The server and its SAN are auctioned off because the company is in receivership.
Mallory, the purchaser of the machine finds that there is a bunch of stuff including PII on it. He doesn't like the old company, so creates a torrent, and seeds it.
Can you sue Mallory? Nope. He just bought some computer hardware that happened to have some data on it and decided to do what he wanted. Copyright violation? Nope. The data was stored at the permission of the cloud computing provider and client.
Can you sue the cloud provider? Stand in line behind the big boys who already have the auction proceeds going to them.
This is where the government needs to step in and offer guarentees for a certain status, with the responsibilities. Want the "secure cloud provider" certification? Put some money in escrow so data can be destroyed under the eye of a Federal agency or a contractor. Combine this with a true SLA that is enforced not just with a piece of paper, but underwritten by an insurance firm, similar to how people are surety bonded.
Then, cloud computing might be a decently secure alternative to the age old tape rotations and the Iron Mountain van visiting on its usual schedule.
There is always the police standby, the browbeat tactic: Convince the person with the TC volume that you know they have a secret volume, won't say how you know, and commence with the threats, be it criminal charges in a civilized country, or the thumbscrews in other places.
Eventually the person will cough up a hidden volume.
What about if the company goes bankrupt? SLAs mean zilch then, and all privately stored data can be put on a torrent for anyone to download, and there is nothing anyone can do to stop that.
I'll be blunt: I hate calling for regulation. However, here is my proposal:
Have a status of "trusted storage provider" which is a certificate by the US government and led by a body. Essentially for a business to get this status, they pay a deposit, submit to security checks (physical, network based, etc.), and have a fund to deal with the destruction of all data stored with them should they go bankrupt or cease operations. The destruction would be done by an independent party who would show certificates of the destruction, and have insurance so if data wasn't really destroyed, people can file claims.
This way, either the data will be stored as per a SLA, or it will be destroyed.
What would be cool is if DB offered more than just password based authentication.
What would be cool would be client certificate based authentication, perhaps generated on a purchased cryptographic token from DB. Accounts can have more than one token for recovery reasons. This not just allows for authentication, but encryption of data. The only way an attacker could decrypt stored data would be to physically gain possession of a token and know its PIN (or guess it in less than 3-17 tries before the device erases itself).
Don't forget because (in theory) an attacker has unfettered access to the encrypted blobs, use a keyfile and not just a passphrase. This way, an attacker has to deal with the full keyspace.
Say I have a number of documents at college I'm working on. I use a cryptographic token that stores a TC, KeePass, or AxCrypt keyfile that is randomly generated. This way, the data residing on the remote server is not just protected by a sturdy passphrase, but will require access to something that is stored on a physically tamper resistant container. Of course, if the computer I'm on is compromised, I'm hosed. However, brute forcing the data is just not going to happen. Attacks against the container will result in it destroying the contents after 3-10 tries.
This also is no protection against rubber hose cryptography, but one needs to consider their threat level -- it is far more likely for someone to have a remote site compromised with data on it than being kidnapped just for a Word document with a term paper on it. If their threat level means that someone is willing to go and grab them, it takes a completely different cryptographic implementation.
Good point. I'm coming from a desktop computer point of view.
Because of this, perhaps the only real alternative for consoles is a third company (charging some type of nominal fee to keep their servers online) that will keep the API a trade secret even when the game moves off. The console users connect to that third party, who connects them to the private servers with the same API the PC games would use. It adds one step, but it solves this issue.
Bingo. If the game company has the same API, then the backend code of load distribution can remain unpublished, while an implementation can be handed out that would work well on a single box.
Maybe this could be a niche for a dedicated business -- a company whose job it is to have servers for nonsupported games, perhaps with a small subscription fee to keep the lights on. This way, if someone wants to play a game long since not supported, but still quite playable (NWN 1 comes to mind), support is still around for it.
What game companies need to do is do it in stages:
Stage 1: This lasts from mid beta until about a month after the game is released. Have a bunch of servers spun up ready to handle the capacity.
Stage 2: This lasts from a month to a year. Resize the servers to what load the players are doing.
Stage 3: A year to two years: Publish the API the game uses for the servers, as well as skeleton source code for servers. Patch the game with the option to use third party servers.
Stage 4: 2-3 years out from game release. Keep a few servers up, but try to get the main load phased to user run servers.
Stage 5: 3 years out from game release and all expansions: "Throw the switch", publish source code, disable the original game maker servers, and only have the option for user machines. The user community is now essentially on its own, and the game can continue with an indefinite lifespan.
There are multiple ways to brute force. One is just finding the known subset of the keyspace (what people can type in), and running scans through that. Another is using dictionaries (ye old Crack). Of course, using dictionaries, then scanning the keyspace is useful too.
Dictionaries are still useful even though people's passwords tend to more than just a word these days. A lot of people use two words and a character, so that is far more gussable than trying to just brute force every single option in a 10-12 character keyspace.
WinZIP and WinRAR have effective encryption, but one needs to have an effective passphrase with it.
Ideally, the best way to encrypt stuff is with not just a passphrase, either with random keyfile for symmetric encryption, or use public key crypto (although PK crypto has its own caveats). This way, there is no brute-forcable passphrase to guess, so an attacker has to deal with the complete keyspace of an encryption algorithm, and not just what people type in.
I doubt that. If they are any good, they may not be caught. What will happen is that we will have an insane witch hunt on our hands, especially if the press starts spewing out "news shows" about how the bad, evil hackers can with a push of a button turn whole swaths of the US into grey goo, activate Skynet, or erase Joe Sixpack's pr0n collection.
Result: Say buh-bye to any freedom of speech, anonyminity, and hello to mandatory DRM stacks, mandatory tracking, and more BS than the King Ranch uses for fertilizer in a year.
I'm almost betting that some lawmakers have laws drafted, saved to go, and marked as final copy in Word by their lobbyists the second this stuff actually starts getting the masses scared. Here is what will be the text:
Only "approved" machines will be allowed on the Internet. This means that all core routers will enforce some type of NAC, either to a router requiring a signed OS, or if connecting to a machine, requiring a signed DRM stack, perhaps on the hypervisor level.
Machines with the DRM stack would have something that functions similar to an antivirus, but looks for signatures of known files on torrent sites. It then would shut the machine down and phone to the nearest LEOs about the IP infringement, similar to how a certain printer maker was alleged to have drivers that would brick the printer and phone home if it thought someone was copying currency.
Mandatory ID systems... yep, made by the lowest bidder and riddled with security holes, similar to Europe's Chip & PIN. The real blackhats will have a field day, while the people whose ID gets stolen end up facing prison terms with no jury believing them.
ISPs will have a field day. They can block access to anything they please for "security reasons." Don't forget the added fees for this.
So, what the end result of all this will be is that ISPs, telcos, Big Copyright, LEOs looking for "low hanging fruit" to prosecute and companies with actual stuff to hide will all profit. The end user gets boned.
I can see how a user can easily hit their cap and this is without BitTorrent, P2P (in general), or even HD video streaming being in play. For example:
Windows updates. OS X updates. iOS updates. Android updates via the Wi-Fi connection. Sun fixpacks. AIX technology levels. Yum updates. App updates. Game updates (WoW, RIFT, EQ2.) Backups of documents to Backblaze/Mozy/Carbonite.
If you have enough machines, one can end up hitting a cap early on just because of the amount of program/system/app updates. To boot, because few people usually don't have a caching/staging machine, the same patch that could be 300-600 MB may end up being redownloaded multiple times by different machines.
Bingo. One can take lessons from being an AD&D dungeon master, as well as acting 101. The trick is to handle the incoming requests to IT like you do with players who get a ring of three wishes and wish for something.
Your goal is to either give them what they wish for... except show them that the invoice will be pricy (and it cannot be done any other way due to SOX/HIPAA/FERPA/CALEA/PCI-DSS/other regs), or find them an alternative.
For example, if they are wanting tier 1 SAN space for a pile of ISO images, offer something "just as good" -- put the LUN on the ratty T3 SATA drives and let the drive controllers do the caching. To them, with the large caches enterprise HBAs/CNAs have, the ISO images of whatever they have appear to be on the $100,000/terabyte chips when they are really on the slow as all get out (relatively) SATA arrays at the bottom of the EMC. If you are really bored, turn on autotiering, and there is no way the people asking for it would know the difference.
What is ironic is that it wouldn't have taken much in the way of searching to find secure USB flash drives for an IT department to hand out. Ironkeys are pricy, but are standing up to the test of time (the only complaint is someone whining that an IronKey is vulnerable to a keylogger.) IKs also have enterprise level management features including the ability to remote kill them (although I have no clue how workable it will be in the real world, especially if the device is used offline.)
I'm guessing the IT department went with the "other" solution due to price.
Devil's advocate here: TC is a good solution for a lot of things, but it really isn't an enterprise/corporate level product where the ability to recover data if an employee loses/forgets their info.
If the IT department wanted software that works on Windows and Mac, they should have gone with PointSec, PGP Desktop, or something like that which would not just encrypt data on USB flash drives, but enforce it. If the environment was just Windows, BitLocker To Go can do this with Windows 7. If a hardware solution was asked for, then IronKeys as stated above would be a good fit.
The only caveat about IronKeys is that one would be hard pressed to use them with AIX or Solaris.
The kicker is that in this economy, a person is highly unlikely to find work within a reasonable time frame. It used to be that it wasn't hard to do some clandestine pavement pounding, find another opening somewhere, then resign. These days, it can be months, or even years before something relevant comes up.
So, it is better to be fired and claim unemployment, rather than quit and have nothing. Especially when it may be a long time before finding the next job.
Physical locks don't help with the dancing bunnies attack.
This is why places are moving towards solutions that combine the physical security with taking root/Administrator/QSECOFR authority away from the end user. It stops Joe Sixpack from installing yet another Trojanized "pr0n viewer".
I have seen 9mm ammo with a "DO NOT EAT" warning on the box.
NWN1 is one of the few games that actually didn't suck. Bioware yanked all DRM except the CD key needed to get to use the multiplayer servers (which is perfectly acceptable), and supported the game for a very long time with not just fixes, but additional content.
It is sad to see this hacked -- one could easily get thousands of hours of entertainment with NWN1 just due to well written player made modules.
I wish the hackers could have nailed some game company that puts out crap instead of a game which has aged quite well and is actually still worth playing.
I was thinking exactly this on another thread:
Instead of another lightweight car with no productive use other than showing off drag coefficients in a wind tunnel, how about we see improvements in where the reward is the best?
Most cars have decent fuel economy. We need to not fret on getting 40 mpg from a 30mpg car. Instead, we need to see about squeezing 12-15 mpg from something that has 10mpg. Ford's turbocharged [1] V6 in the full sized trucks is one example -- getting something fuel thirsty as a pickup and adding some decent economy gains will save a lot more fuel in the long run than concept small cars.
Car companies need to show off heavy duty pickups and other boring but needed fleet vehicles that have energy saving features, but can still tow/haul/drag/carry the loads needed. For example, turbo diesel engines. This isn't a new technology, but it would be nice to see car makers offer this across the entire line of pickups, not just the heavy duty models.
[1]: 5psi boost -- not that great, but enough to overcome the HP loss in high altitudes that normally aspirated engines suffer from.
If done right, the government support can be considered the same thing as a research grant to a university... with three stipulations:
1: The research belongs to the US government. Anything that results can be used for the public good.
2: If their product sold like gangbusters, the USG would take a percentage of the profits to fund more startups.
3: The work done in the US for jobs.
If this is done, I don't object to the US government funding company research.
On average, 200 miles is enough for most people. However, emergencies happen. I might have to go pick up someone, then hit the bank. Or I might be so frazzled from a day of picking up stray inodes that I forget to plug the vehicle in for a charge. Then, I'm screwed because there are no real ways to charge an electric vehicle outside of the specially designed housing installed at home.
The Volt is a good start. However, what GM needs to do is put the big R&D dollars into the Silverado Hybrid and the Tahoe Hybrid. The Silverado is their top selling vehicle, and if they can do well selling those, they will make a larger profit than yet another compact car. The real gas savings overall are the pickups and SUVs that get MPG in the low teens. Not compact cars, which some of them (the VW diesels) are as good as one is going to get without some revolution in engine design.
A hybrid GMC 3500 costs a pretty penny, but companies and fleets would buy it just for the PR. If done right, it would have some awesome side features too, such as being able to run some serious hardware via an inverter off the batteries, or use the vehicle as an effective/efficient emergency generator.
A hybrid pickup truck with high wattage inverter capabilities would be a boon to RV-ers. Plug your 30 amp or 50 amp line into the pickup truck when boondocking, when the batteries get low, fire up the engine, then if the vehicle's gas tank gets below a certain amount (say 10 gallons but needs to be user-settable), shut the generator off.
You hit the nail on the head. There are audio units that have dolphins swimming on the display, but trying to find truly serious head units is very difficult.
I would like to see a head unit that can do what the Ford SYNC unit can. It handles Bluetooth calls via a mic mounted near the visor, can handle a USB attached hard disk for a music stash, plays well with iPods, iPhones, and Android devices, and has very good voice operated controls (voice dialing, getting traffic/news reports, etc.) Navigation is possible with or without a large display via voice.
Preferably a head unit that can come in single DIN and double DIN sizes. Single DIN can have the CD mechanism being placed somewhere else in the vehicle and sport a decent iPod/iPhone dock.
Apple would seize the audio market by force just because the competition is so lousy -- the only real competitor is Alpine, maybe Sony (haven't not seen what they are doing), and what audio heads ship with the vehicle from the carmaker. Especially if Apple puts 3G communication in the audio head and has streaming via iCloud.
I can easily imagine a program like this existing, perhaps being forced on us as with an anti-hacker law. It would end up running either at the BIOS or the hypervisor level, and reinstalling itself similar to LoJack for Laptops. It essentially scans and acts like an antivirus program on Windows, including chewing up CPU and I/O resources.
However, it hunts down signatures of suspect files, and not just removes them, but phones home to have the computer owner arrested on the spot.
Of course, disabling it won't be an option. Locked down OSes, hardware DRM stacks, and NAC going from the end user's router all the way to the core peerers will take care that only "trusted" devices have Internet access.
It really boils down to who had the deeper pockets. mp3.com was just a spot on the RIAA's shoe, while Google, Amazon, or Apple would actually give them a run for their money.
I wish mp3.com didn't go with the locker service... it was a great site for finding new bands... and there isn't really much in that department nowadays, other than last.fm and Pandora. It would be nice to have a site with a decent metal selection that doesn't have the same warmed over top 100 artists, and proper sub-genres.
Bingo. A few years back, we had some decent choices for a MP3 player with a decent capacity, from the Zune, to many others. Drivers? Plug it in, it mounts as a USB flash drive, copy files, unmount, and call it done.
Now, there are no real MP3 players with any capacity beyond like 6 gig, and the only MP3 player with 100+ gigs of capacity is the iPod Classic.
Of course, like described above, there are the "portable media players", but if I want to watch video on my MP3 player, I would buy a Galaxy Tab, iPad, or an iPod Touch. There is a market niche for this type of device -- just audio and a high capacity HDD. I just hope Apple doesn't can their iPod Classic anytime soon.
What lawsuits?
Take an average server. It belongs to the cloud provider, and clients store their data using the server as a head, and the backend SAN for the actual storage. The cloud provider tanks. The server and its SAN are auctioned off because the company is in receivership.
Mallory, the purchaser of the machine finds that there is a bunch of stuff including PII on it. He doesn't like the old company, so creates a torrent, and seeds it.
Can you sue Mallory? Nope. He just bought some computer hardware that happened to have some data on it and decided to do what he wanted. Copyright violation? Nope. The data was stored at the permission of the cloud computing provider and client.
Can you sue the cloud provider? Stand in line behind the big boys who already have the auction proceeds going to them.
This is where the government needs to step in and offer guarentees for a certain status, with the responsibilities. Want the "secure cloud provider" certification? Put some money in escrow so data can be destroyed under the eye of a Federal agency or a contractor. Combine this with a true SLA that is enforced not just with a piece of paper, but underwritten by an insurance firm, similar to how people are surety bonded.
Then, cloud computing might be a decently secure alternative to the age old tape rotations and the Iron Mountain van visiting on its usual schedule.
There is always the police standby, the browbeat tactic: Convince the person with the TC volume that you know they have a secret volume, won't say how you know, and commence with the threats, be it criminal charges in a civilized country, or the thumbscrews in other places.
Eventually the person will cough up a hidden volume.
What about if the company goes bankrupt? SLAs mean zilch then, and all privately stored data can be put on a torrent for anyone to download, and there is nothing anyone can do to stop that.
I'll be blunt: I hate calling for regulation. However, here is my proposal:
Have a status of "trusted storage provider" which is a certificate by the US government and led by a body. Essentially for a business to get this status, they pay a deposit, submit to security checks (physical, network based, etc.), and have a fund to deal with the destruction of all data stored with them should they go bankrupt or cease operations. The destruction would be done by an independent party who would show certificates of the destruction, and have insurance so if data wasn't really destroyed, people can file claims.
This way, either the data will be stored as per a SLA, or it will be destroyed.
What would be cool is if DB offered more than just password based authentication.
What would be cool would be client certificate based authentication, perhaps generated on a purchased cryptographic token from DB. Accounts can have more than one token for recovery reasons. This not just allows for authentication, but encryption of data. The only way an attacker could decrypt stored data would be to physically gain possession of a token and know its PIN (or guess it in less than 3-17 tries before the device erases itself).
Don't forget because (in theory) an attacker has unfettered access to the encrypted blobs, use a keyfile and not just a passphrase. This way, an attacker has to deal with the full keyspace.
Say I have a number of documents at college I'm working on. I use a cryptographic token that stores a TC, KeePass, or AxCrypt keyfile that is randomly generated. This way, the data residing on the remote server is not just protected by a sturdy passphrase, but will require access to something that is stored on a physically tamper resistant container. Of course, if the computer I'm on is compromised, I'm hosed. However, brute forcing the data is just not going to happen. Attacks against the container will result in it destroying the contents after 3-10 tries.
This also is no protection against rubber hose cryptography, but one needs to consider their threat level -- it is far more likely for someone to have a remote site compromised with data on it than being kidnapped just for a Word document with a term paper on it. If their threat level means that someone is willing to go and grab them, it takes a completely different cryptographic implementation.
Good point. I'm coming from a desktop computer point of view.
Because of this, perhaps the only real alternative for consoles is a third company (charging some type of nominal fee to keep their servers online) that will keep the API a trade secret even when the game moves off. The console users connect to that third party, who connects them to the private servers with the same API the PC games would use. It adds one step, but it solves this issue.
Bingo. If the game company has the same API, then the backend code of load distribution can remain unpublished, while an implementation can be handed out that would work well on a single box.
Maybe this could be a niche for a dedicated business -- a company whose job it is to have servers for nonsupported games, perhaps with a small subscription fee to keep the lights on. This way, if someone wants to play a game long since not supported, but still quite playable (NWN 1 comes to mind), support is still around for it.
What game companies need to do is do it in stages:
Stage 1: This lasts from mid beta until about a month after the game is released. Have a bunch of servers spun up ready to handle the capacity.
Stage 2: This lasts from a month to a year. Resize the servers to what load the players are doing.
Stage 3: A year to two years: Publish the API the game uses for the servers, as well as skeleton source code for servers. Patch the game with the option to use third party servers.
Stage 4: 2-3 years out from game release. Keep a few servers up, but try to get the main load phased to user run servers.
Stage 5: 3 years out from game release and all expansions: "Throw the switch", publish source code, disable the original game maker servers, and only have the option for user machines. The user community is now essentially on its own, and the game can continue with an indefinite lifespan.
There are multiple ways to brute force. One is just finding the known subset of the keyspace (what people can type in), and running scans through that. Another is using dictionaries (ye old Crack). Of course, using dictionaries, then scanning the keyspace is useful too.
Dictionaries are still useful even though people's passwords tend to more than just a word these days. A lot of people use two words and a character, so that is far more gussable than trying to just brute force every single option in a 10-12 character keyspace.
WinZIP and WinRAR have effective encryption, but one needs to have an effective passphrase with it.
Ideally, the best way to encrypt stuff is with not just a passphrase, either with random keyfile for symmetric encryption, or use public key crypto (although PK crypto has its own caveats). This way, there is no brute-forcable passphrase to guess, so an attacker has to deal with the complete keyspace of an encryption algorithm, and not just what people type in.
I doubt that. If they are any good, they may not be caught. What will happen is that we will have an insane witch hunt on our hands, especially if the press starts spewing out "news shows" about how the bad, evil hackers can with a push of a button turn whole swaths of the US into grey goo, activate Skynet, or erase Joe Sixpack's pr0n collection.
Result: Say buh-bye to any freedom of speech, anonyminity, and hello to mandatory DRM stacks, mandatory tracking, and more BS than the King Ranch uses for fertilizer in a year.
I'm almost betting that some lawmakers have laws drafted, saved to go, and marked as final copy in Word by their lobbyists the second this stuff actually starts getting the masses scared. Here is what will be the text:
Only "approved" machines will be allowed on the Internet. This means that all core routers will enforce some type of NAC, either to a router requiring a signed OS, or if connecting to a machine, requiring a signed DRM stack, perhaps on the hypervisor level.
Machines with the DRM stack would have something that functions similar to an antivirus, but looks for signatures of known files on torrent sites. It then would shut the machine down and phone to the nearest LEOs about the IP infringement, similar to how a certain printer maker was alleged to have drivers that would brick the printer and phone home if it thought someone was copying currency.
Mandatory ID systems... yep, made by the lowest bidder and riddled with security holes, similar to Europe's Chip & PIN. The real blackhats will have a field day, while the people whose ID gets stolen end up facing prison terms with no jury believing them.
ISPs will have a field day. They can block access to anything they please for "security reasons." Don't forget the added fees for this.
So, what the end result of all this will be is that ISPs, telcos, Big Copyright, LEOs looking for "low hanging fruit" to prosecute and companies with actual stuff to hide will all profit. The end user gets boned.
But what else is new?
I can see how a user can easily hit their cap and this is without BitTorrent, P2P (in general), or even HD video streaming being in play. For example:
Windows updates.
OS X updates.
iOS updates.
Android updates via the Wi-Fi connection.
Sun fixpacks.
AIX technology levels.
Yum updates.
App updates.
Game updates (WoW, RIFT, EQ2.)
Backups of documents to Backblaze/Mozy/Carbonite.
If you have enough machines, one can end up hitting a cap early on just because of the amount of program/system/app updates. To boot, because few people usually don't have a caching/staging machine, the same patch that could be 300-600 MB may end up being redownloaded multiple times by different machines.
Bingo. One can take lessons from being an AD&D dungeon master, as well as acting 101. The trick is to handle the incoming requests to IT like you do with players who get a ring of three wishes and wish for something.
Your goal is to either give them what they wish for... except show them that the invoice will be pricy (and it cannot be done any other way due to SOX/HIPAA/FERPA/CALEA/PCI-DSS/other regs), or find them an alternative.
For example, if they are wanting tier 1 SAN space for a pile of ISO images, offer something "just as good" -- put the LUN on the ratty T3 SATA drives and let the drive controllers do the caching. To them, with the large caches enterprise HBAs/CNAs have, the ISO images of whatever they have appear to be on the $100,000/terabyte chips when they are really on the slow as all get out (relatively) SATA arrays at the bottom of the EMC. If you are really bored, turn on autotiering, and there is no way the people asking for it would know the difference.
What is ironic is that it wouldn't have taken much in the way of searching to find secure USB flash drives for an IT department to hand out. Ironkeys are pricy, but are standing up to the test of time (the only complaint is someone whining that an IronKey is vulnerable to a keylogger.) IKs also have enterprise level management features including the ability to remote kill them (although I have no clue how workable it will be in the real world, especially if the device is used offline.)
I'm guessing the IT department went with the "other" solution due to price.
Devil's advocate here: TC is a good solution for a lot of things, but it really isn't an enterprise/corporate level product where the ability to recover data if an employee loses/forgets their info.
If the IT department wanted software that works on Windows and Mac, they should have gone with PointSec, PGP Desktop, or something like that which would not just encrypt data on USB flash drives, but enforce it. If the environment was just Windows, BitLocker To Go can do this with Windows 7. If a hardware solution was asked for, then IronKeys as stated above would be a good fit.
The only caveat about IronKeys is that one would be hard pressed to use them with AIX or Solaris.
The kicker is that in this economy, a person is highly unlikely to find work within a reasonable time frame. It used to be that it wasn't hard to do some clandestine pavement pounding, find another opening somewhere, then resign. These days, it can be months, or even years before something relevant comes up.
So, it is better to be fired and claim unemployment, rather than quit and have nothing. Especially when it may be a long time before finding the next job.