We live in Albany, NY and work downtown. My wife gets free parking, so we carpool. When our schedules conflict, I usually take the bus because she would have to walk through a really shady area to get to work and I don't like to drive.
I could take any of 3 bus routes every day, but they take about 25 minutes in the morning and 30-45 minutes in the evening. Fare is about $30/mo with a commuter card.
From my driveway to my desk via carpool is 10-15 minutes.
If I lived in NYC, I would take advantage of public transit because it is fast and convenient to things other than work and home. Since NYC is one of the few viable cities in the US, you can actually grab food for dinner or run an errand without a car.
Look at a state like NY where the education unions have forced the state to provide funding to lower average class sizes and raise teacher salaries.
Now teachers average $65k/year and class sizes are decreased dramatically. The urban district where where I live has an average class of 19. When I attended school in NYC in the early 80's, it was 30+.
Guess what? Performance still sucks, particularly for the lost generation of urban youth growing up in broken households, with parents who don't care and a culture that embraces ignorance and dependency.
It sucks in the burbs too, where the precious Connors and Jennifers get B's in watered down classes and have an inflated view of their own abilities.
I don't really see how a 3rd party subpoena could work in this situation. That's like saying the other side could subpoena your secretary and have him/her reveal confidential info. We both know that is not allowed because the secretary is considered an extension of a lawyer. I used to work at a large law firm and we had offsite storage for documents(physical documents/files). There is no way we could physically or econimically store all of it onsite. Do you also see this as suicide?
Like the article submitter said, numerous bar associations have approved of this. I think you are being way over cautious.
My understanding, based on extended discussions with my organization's counsel, is that the case law for these scenarios isn't fleshed out yet. A huge problem is that in most cases you don't control the keys to your encrypted data, so you're vulnerable to lawful (or unlawful) interception.
YMMV, and the right decision depends on what you do. If you're a small town traffic/real estate/will attorney, it's probably no big deal. If you spend your time in federal court for complex or controversial matters, more paranoia is warranted.
When I was a kid my parents kept me on reins so I was never more than 2 feet and a tug away. Parents these days seem to think that is treating your kids like a dog. Stupid people
Actually, putting a dog on one of those 12 foot leashes is one of the dumbest things that you can do to a dog. It makes the animal feel like she's in charge and reinforces all sorts of bad behaviors.
I can only imagine how kids raised by passive parents like that are going to end up.
It depends on the environment. For typical knowledge workers, enforcing standards to that degree is OCD stupidity.
In an environment where you have higher turnover or more defined tasks that employees perform, maintaining consistency to improve support and lower costs is a valid approach.
That's a good point, but the kind of huge organization you mention will have in-house IT people who can that anyway, and I still think the advantage of a FOSS platform outweighs the relatively lack of ready-to-go deployment facilities.
That just isn't true. I personally worked on a project for two years with full executive support to migrate 30% of a 60,000 user enterprise to Linux. It failed in the PoC stages because we simply couldn't manage to the level our external regulation and internal mandates demanded at a reasonable cost.
If I'm understanding this correctly, you get application installation automation for free with your centralized repository, perhaps automated with cfengine, puppet, or even ssh-in-a-loop.
Puppet and cfengine provide the distribution services that SCCM/Zen/etc gives you -- actually, they probably do those things better from some points of view. FreeIPA will narrow the gap further once it is fully baked. But these solutions are missing a bunch of features useful to enterprises, particularly distributed enterprises. And SCCM is very cheap, and requires a small set of admins. Puppet/cfengine/FreeIPA will require more people with more sophisticated skillsets.
I define an "enterprise" as an IT environment whose needs are beyond the ability of one 3-8 person generalist group to perform. For a regulated industry like a bank, that may be as little as 30 people. For a more ad-hoc industry like a call center, the number may be much higher.
I'd recommend buying a load of AA Eneloop batteries and recharger. Unlike most rechargeable batteries, they retain a charge for over a year, so your brother could charge up a bunch of batteries whenever he has access to power.
I interviewed a guy who was a gunner on a WW2 bomber for a history class a few years back. He said that on a clear night with no moon, you could spot someone lighting a cigarette from whatever cruising altitude was.
Just because you're using AES-256 doesn't mean that you are using a FIPS 140-2 certified implementation! In fact, according to TrueCrypt's documentation, they do not have such a certification. http://www.truecrypt.org/docs/?s=compliance-with-standards
The means that if you are encrypting data for the purposes of meeting a state or federal regulatory requirement, Truecrypt may not be sufficient. I know that the current interpretation of the NY Security Breach Notification law is that if it isn't FIPS 140-2 certified, it isn't encrypted.
You (I mean the general "you") need to be careful and seriously analyze who you trust your data with. Nobody knows who is behind TrueCrypt and they have a reputation for stifling criticism and dissent. That makes me leery, as even subtle flaws in an encryption system can render the system useless.
I would be hesitant to protect information for which I have a fiduciary responsibility in their hands.
You're missing the point of what this encryption is supposed to accomplish. Protecting data against a foe with the ability to place you under duress for access to data isn't a use case that the technology addresses.
99% of laptops do not have data worth killing for. Data is lost by opportunistic thieves or lost. If you have a high risk of being in the 1% with super-valuable data, you need to employ a layered defense in order to keep it secure.
You're right, encryption doesn't protect against that. If you have information that people are willing to sever limbs for, you need to implement a "defense in depth" strategy. Armed guards, physical control of whatever has this data, etc.
Disk encryption is more about protecting against you leaving your laptop in a cab or a smash-and-grab theft from your car.
What regulators are looking for is an encryption solution whose algorithms have been certified to conform to FIPS 140-2. In general, you should only deploy encryption products in modes that are FIPS 140-2 certified.
The "Common Criteria" EAL levels are more of a measure of the overall quality of a product's security implementation. Typically a full-disk encryption app is certified at EAL level 3 or 4.
If you're using EAL as a decision making point, make sure that you understand how the assurance level was implemented. You may find that only specific configurations meet EAL 4 requirements, so a product at level for may not be any better than a level 3 product in your situation.
You are misunderstanding the problem. Defending data in a datacenter is a completely different problem that data-at-rest encryption really doesn't help you with.
In most states, whenever a client computer could contain personally-identifying data, data breaches must be exposed to any potential victim and the general public.
In some cases, that includes things like browser caches, and other temporary files. So most financial institutions and government agencies opt to encrypt all mobile devices. Some law enforcement agencies encrypt desktop computers as well.
Encryption is very easy to do. Key management is hard. Truecrypt is great for an individual user, but falls down when you have to manage a non-trivial number of clients.
AFAIK, Pointsec and one other solution (maybe McAfee?) will encrypt the hibernation file and revert back to pre-boot authentication when the laptop lid opens. The downside is that you need to disable sleep/suspend mode.
How you operate depends on your risk profile.
Are you concerned about someone actually robbing an employee for the purpose of obtaining data? Is the impact of data compromise a matter of life and death? In those cases, you need to encrypt the hibernation file and disable sleep.
Or are you more concerned about casual theft or loss where a thief is more interested in the laptop hardware? If that is the case, windows-integrated login and sleep mode may be ok -- if you implement other mitigating features such as a firewall and strong password policy.
No, I'm complaining that TrueCrypt doesn't include a scalable mechanism for escrowing private keys in an organization.
I can deploy a FIPS-compliant, secure encryption solution from McAfee, Pointsec, PGP, WinMagic, and others, and still meet my legal and fiduciary responsibilities.
What happens when somebody loses their password or keyfile? Or you get an subpoena for a laptop or usb key's content?
Unfortunately, no open source solution exists. Look at vendors like PGP, McAfee, Pointsec, etc. The outrageous cost is offensive, but you need to pay to pay in an enterprise environment right now.
New York published a report studying issues surrounding electronic records.
It mostly centers around document formats, but an appendix in Part 2 recommends that the state integrate the evaluation of open source software into procurement policy. You might find it interesting.
Your friend allowed herself to be bullied out of $20 million. My uncle is an attorney who tried a similar case, where the principal partner was a real arrogant piece of crap.
It took about 3 years, but the plaintiff was awarded treble damages due to the willful acts of the principal partner. The partner actually lost control of the company and eventually went bankrupt.
My uncle got 25%, since the plaintiff was not in a position to pay a retainer.
We had the same experience -- my employer (government agency) contacted several people at Mozilla (and were willing to pay a good sum), and were rebuffed in a pretty obnoxious way.
Slashdot Mirror
It is different because before, manufacturers claimed that BPA was released only when heated.
We live in Albany, NY and work downtown. My wife gets free parking, so we carpool. When our schedules conflict, I usually take the bus because she would have to walk through a really shady area to get to work and I don't like to drive.
I could take any of 3 bus routes every day, but they take about 25 minutes in the morning and 30-45 minutes in the evening. Fare is about $30/mo with a commuter card.
From my driveway to my desk via carpool is 10-15 minutes.
If I lived in NYC, I would take advantage of public transit because it is fast and convenient to things other than work and home. Since NYC is one of the few viable cities in the US, you can actually grab food for dinner or run an errand without a car.
Look at a state like NY where the education unions have forced the state to provide funding to lower average class sizes and raise teacher salaries.
Now teachers average $65k/year and class sizes are decreased dramatically. The urban district where where I live has an average class of 19. When I attended school in NYC in the early 80's, it was 30+.
Guess what? Performance still sucks, particularly for the lost generation of urban youth growing up in broken households, with parents who don't care and a culture that embraces ignorance and dependency.
It sucks in the burbs too, where the precious Connors and Jennifers get B's in watered down classes and have an inflated view of their own abilities.
I don't really see how a 3rd party subpoena could work in this situation. That's like saying the other side could subpoena your secretary and have him/her reveal confidential info. We both know that is not allowed because the secretary is considered an extension of a lawyer. I used to work at a large law firm and we had offsite storage for documents(physical documents/files). There is no way we could physically or econimically store all of it onsite. Do you also see this as suicide?
Like the article submitter said, numerous bar associations have approved of this. I think you are being way over cautious.
My understanding, based on extended discussions with my organization's counsel, is that the case law for these scenarios isn't fleshed out yet. A huge problem is that in most cases you don't control the keys to your encrypted data, so you're vulnerable to lawful (or unlawful) interception.
YMMV, and the right decision depends on what you do. If you're a small town traffic/real estate/will attorney, it's probably no big deal. If you spend your time in federal court for complex or controversial matters, more paranoia is warranted.
Actually, putting a dog on one of those 12 foot leashes is one of the dumbest things that you can do to a dog. It makes the animal feel like she's in charge and reinforces all sorts of bad behaviors.
I can only imagine how kids raised by passive parents like that are going to end up.
It depends on the environment. For typical knowledge workers, enforcing standards to that degree is OCD stupidity.
In an environment where you have higher turnover or more defined tasks that employees perform, maintaining consistency to improve support and lower costs is a valid approach.
That's a good point, but the kind of huge organization you mention will have in-house IT people who can that anyway, and I still think the advantage of a FOSS platform outweighs the relatively lack of ready-to-go deployment facilities.
That just isn't true. I personally worked on a project for two years with full executive support to migrate 30% of a 60,000 user enterprise to Linux. It failed in the PoC stages because we simply couldn't manage to the level our external regulation and internal mandates demanded at a reasonable cost.
If I'm understanding this correctly, you get application installation automation for free with your centralized repository, perhaps automated with cfengine, puppet, or even ssh-in-a-loop.
Puppet and cfengine provide the distribution services that SCCM/Zen/etc gives you -- actually, they probably do those things better from some points of view. FreeIPA will narrow the gap further once it is fully baked. But these solutions are missing a bunch of features useful to enterprises, particularly distributed enterprises. And SCCM is very cheap, and requires a small set of admins. Puppet/cfengine/FreeIPA will require more people with more sophisticated skillsets.
I define an "enterprise" as an IT environment whose needs are beyond the ability of one 3-8 person generalist group to perform. For a regulated industry like a bank, that may be as little as 30 people. For a more ad-hoc industry like a call center, the number may be much higher.
Linux isn't ready for the enterprise desktop. We've tried for ages -- it's not as good as windows at the moment.
I'd recommend buying a load of AA Eneloop batteries and recharger. Unlike most rechargeable batteries, they retain a charge for over a year, so your brother could charge up a bunch of batteries whenever he has access to power.
I interviewed a guy who was a gunner on a WW2 bomber for a history class a few years back. He said that on a clear night with no moon, you could spot someone lighting a cigarette from whatever cruising altitude was.
Proceed with caution!
Just because you're using AES-256 doesn't mean that you are using a FIPS 140-2 certified implementation! In fact, according to TrueCrypt's documentation, they do not have such a certification. http://www.truecrypt.org/docs/?s=compliance-with-standards
The means that if you are encrypting data for the purposes of meeting a state or federal regulatory requirement, Truecrypt may not be sufficient. I know that the current interpretation of the NY Security Breach Notification law is that if it isn't FIPS 140-2 certified, it isn't encrypted.
You (I mean the general "you") need to be careful and seriously analyze who you trust your data with. Nobody knows who is behind TrueCrypt and they have a reputation for stifling criticism and dissent. That makes me leery, as even subtle flaws in an encryption system can render the system useless.
I would be hesitant to protect information for which I have a fiduciary responsibility in their hands.
You're missing the point of what this encryption is supposed to accomplish. Protecting data against a foe with the ability to place you under duress for access to data isn't a use case that the technology addresses.
99% of laptops do not have data worth killing for. Data is lost by opportunistic thieves or lost. If you have a high risk of being in the 1% with super-valuable data, you need to employ a layered defense in order to keep it secure.
To my knowledge, there is no FIPS-certified fingerprint device on the market. They offer no substantive value to a security solution.
If someone is pitching fingerprint readers, run away.
You're right, encryption doesn't protect against that. If you have information that people are willing to sever limbs for, you need to implement a "defense in depth" strategy. Armed guards, physical control of whatever has this data, etc.
Disk encryption is more about protecting against you leaving your laptop in a cab or a smash-and-grab theft from your car.
What regulators are looking for is an encryption solution whose algorithms have been certified to conform to FIPS 140-2. In general, you should only deploy encryption products in modes that are FIPS 140-2 certified.
The "Common Criteria" EAL levels are more of a measure of the overall quality of a product's security implementation. Typically a full-disk encryption app is certified at EAL level 3 or 4.
If you're using EAL as a decision making point, make sure that you understand how the assurance level was implemented. You may find that only specific configurations meet EAL 4 requirements, so a product at level for may not be any better than a level 3 product in your situation.
You are misunderstanding the problem. Defending data in a datacenter is a completely different problem that data-at-rest encryption really doesn't help you with.
In most states, whenever a client computer could contain personally-identifying data, data breaches must be exposed to any potential victim and the general public.
In some cases, that includes things like browser caches, and other temporary files. So most financial institutions and government agencies opt to encrypt all mobile devices. Some law enforcement agencies encrypt desktop computers as well.
Encryption is very easy to do. Key management is hard. Truecrypt is great for an individual user, but falls down when you have to manage a non-trivial number of clients.
AFAIK, Pointsec and one other solution (maybe McAfee?) will encrypt the hibernation file and revert back to pre-boot authentication when the laptop lid opens. The downside is that you need to disable sleep/suspend mode.
How you operate depends on your risk profile.
Are you concerned about someone actually robbing an employee for the purpose of obtaining data? Is the impact of data compromise a matter of life and death? In those cases, you need to encrypt the hibernation file and disable sleep.
Or are you more concerned about casual theft or loss where a thief is more interested in the laptop hardware? If that is the case, windows-integrated login and sleep mode may be ok -- if you implement other mitigating features such as a firewall and strong password policy.
No, I'm complaining that TrueCrypt doesn't include a scalable mechanism for escrowing private keys in an organization.
I can deploy a FIPS-compliant, secure encryption solution from McAfee, Pointsec, PGP, WinMagic, and others, and still meet my legal and fiduciary responsibilities.
Your friend is doing something wrong.
If you're using a halfway-decent computer and AES, the AES encryption speed is probably faster than the laptop's IO performance anyway.
We have 25,000 laptops encrypted, and have been unable to find any performance issue -- with the exception of the extra hoops during login.
TrueCrypt in an enterprise? Hahaha!
What happens when somebody loses their password or keyfile? Or you get an subpoena for a laptop or usb key's content?
Unfortunately, no open source solution exists. Look at vendors like PGP, McAfee, Pointsec, etc. The outrageous cost is offensive, but you need to pay to pay in an enterprise environment right now.
New York published a report studying issues surrounding electronic records.
It mostly centers around document formats, but an appendix in Part 2 recommends that the state integrate the evaluation of open source software into procurement policy. You might find it interesting.
You can find it here:
http://www.oft.state.ny.us/policy/esra/erecords-study.htm
No AdSense ads are displaying, at least for several popular advertising keywords like "refinance".
Your friend allowed herself to be bullied out of $20 million. My uncle is an attorney who tried a similar case, where the principal partner was a real arrogant piece of crap.
It took about 3 years, but the plaintiff was awarded treble damages due to the willful acts of the principal partner. The partner actually lost control of the company and eventually went bankrupt.
My uncle got 25%, since the plaintiff was not in a position to pay a retainer.
That would allow users to install automatic updates, but would open up the computers for massive ownage by zero-day threats.
We had the same experience -- my employer (government agency) contacted several people at Mozilla (and were willing to pay a good sum), and were rebuffed in a pretty obnoxious way.