Hi, I can help you understand many of these subjects. HIPAA as put forth by Centers for Medicare Services on behalf of the US Government has partnered with NIST to establish controls for protection of patient data. The end result being that HIPAA data is protected by FIPS-140-2 standards. PHIPA - I'm assuming the name I threw in, is the health regs modeled on the US HIPAA but used in Canada. The Ministry of Health decided to use US NIST FIPS 140-2 standards or better as well. Military uses a mix of FIPS 140-1 to 3 for normal stuff. Funny how the National Institute of Standards and tech would implement standards for the nation.
Lazy example 1 you provided is an inaccurate example, I don't think you read the last paragraph, or that you understand the difference between breaking encryption on the phone vs breaking the transmission protocol from phone to carrier. Any phone besides blackberry on the carrier to phone has next to nothing. Lazy example 1 has been mitigated by blackberry.
Lazy example 2 - Ok, that is a good example os poor implementation. But so incredibly easy to mitigate, I'm not sure why you linked it. I don't know anyone who uses blackberry desktop, not a BES server. And even if you did use blackberry desktop, your hard drive will already be encrypted to nist fips-140-2 standars if you are in this business anyway. Thanks for the link, I didn't see it. But stupid example.
Trolling? I'm open to a nice discussion, you know, what slashdot is supposed to be. IT folks exchanging information. The information I would exchange back to you - in your threat assesment of Blackberry, look at the statistics involved in risk management on this subject. The biggest risk is loss/theft of the physical device. Not backups, not data transmission. You know, #1 in the NIST/FIPS security cycle- Identify the problem.
Next line- no phone is secure. Agreed, if there are no wires and no radios, the more it is like a hunk of granite, a device is more secure. But there are more secure devices than others and I stand by my premise that a blackberry is more secure than an iphone and a google phone.
I was trying to use an easy example to show you that one device was more secure than the other with the youtube search. I guess the youtube numbers game was not a good choice to try to convince you.
I am aware of many problems with modern encryption. Most require more $ worth of GPU power than my data is worth. I'm not interested in the theoretical fun you are. I'm interested in the practical implementation of these technologies. I am also interested in protecting my company from monetary losses incurred from failing to observe federal regulations for processing patient data. I suppose the big difference is that I'm prepared for a US court, you are prepared for what, writing a book about conspiracy theory? At this point I abandon my customer service practice and move on to begging you to put your tinfoil hat back on. (don't forget to run a line to earth ground or it doesn't work)
I am fairly well versed on FIPS standards for both HIPAA, PHIPA and rusty on DoD work. I 'try' every day... Please return to your assertion that blackberry encryption is weak and comprimised. I will state my challenge to you again in simple plain terms so you might understand before replying this time.
1. Cite articles from sources displaying proof of your assertion. I can't find any. Perhaps you could inform NIST of these breaches so that they can remove the offender from the certified list.
2. Provide details on why cracking iphone encryption comes up a lot on youtube, and blackberry not at all. Here is my link for abundant proof of my claim.- http://tinyurl.com/28wesd6
I'm patient. Take your time.
My first post did not make the assertion that an I enable *any* specific algorithm. My second post did not make an assertion that I was relying on a single algorithm. If you would like to engage an issue I spoke of, please do. I do not understand the tangent you are on.
I challenge you to cite some examples of PGP, Credant, Truecrypt, or Checkpoint disk encryption failing to patch their whole disk encryption. I'll come up with a list many times bigger with holes that are patched. I am here because my job depends on it and I need to keep an open mind. Please educate me.
1. purchase license for remote recovery service. 2. enable service on laptop bios, encrypt drive, enable intel kill switch. 3. now I can see all computer's GPS history in a nifty web portal. It has pretty maps and charts, good manager bait. Now I can set fences based on country, state etc to start a wipe and shut down if it leaves that fenced area. 4. User reports stolen laptop, we report to security service. 5. Remote wipe sensitive directories, execute any custom commands. 6. Alert cops to pick it up, start a timer for kill switch based on battery life. 7. Cops don't pick it up, battery is low, disable machine completely with intel switch (only new part here). If you own a laptop, get in the bios right now and look for computrace activation. If it is a business class machine, it is already there and has been for years. If you don't like it, don't get an aircard. All of this technology is up and running for me and a lot of other corporations. If you don't like it, and you work for me, fine. Quit. If you are a home consumer, disable it. Every other service on your computer is equally vulnerable to unknown unwritten malware.
So you don't have a machine with a built in SSH port? (or remote desktop?) What is really harder? Building a virus to modify a modern BIOS or execute RM -rf? The point of most malware is not to render the computer useless. It is to use the computer in a botnet or extract valuable information. Now where was that tinfoil hat? Maybe I am missing something obvious.
Absolute=lojack the parent company. These guys are late to the big brother party. Lenovo, Dell, HP all come with the SMS activation with no power and gps tracking support in the BIOS. The icing on this cake is that when I report a machine stolen now, sms message goes out, activates gps, cops go after it, and the processor is disabled so if the battery does run out, the machine is useless. The comment 2 up-- You didn't read my comment. We encrypt our drives. While once in a while a crack comes out for this, it gets patched pretty quick. I'm not concerned. I just read a little more, you have to enable it in the BIOS, doesn't come by default. You can also have the full functionality restored.
While I wouldn't say it isn't possible for someone to break in and kill your machine, it isn't likely. We have been using Absolute software's offering and have been able to do remote wipes on laptops for a long time now. Nobody has broken in and wiped out all the computers with this technology. That being said, do you really think IT who implements this doesn't have a backup? And that our legal departments wouldn't get fair compensation if said "gotcha" really occurs? I would rather have the ability to disable a phone or pc in any way possible when I need it to happen.
For the comment above about just moving the hard drive to another machine.. Really? Who goes through the trouble of enabling this, and paying monthly for the service and just skips the whole drive encryption bit? My vote is go Intel.
In my experience, things that have undergone more testing generally tend to have better performance. NIST tests the devices, algorithms, policy, etc. They don't wave a magic wand that makes it more secure or take a payoff to say it is just compliant as you state. Saying that no security measure is 100% to prove a point is gutless. Of course it isn't, but a security plan with more thought and research is more effective at meeting it's goals than none.
Have countries outlawed iphone because the encryption is too difficult for government agencies to tackle? If it is so easy, why does this happen? Maybe you can link some examples and educate us. I am often wrong and would like some help if this is the case.
I find a lot of youtube videos showing any idiot how to break in to any iphone OS version, where are the videos for Blackberry? I for one feel more comfortable having grandmas's ssn on some doctors blackberry than his iphone.
Judging from your other flamebait comments, I think I am wasting my keystrokes here.
I disagree with most of the comments here. In my opinion the solution is to continue to use Blackberry and ban iphone, google and MS phones from uses that require security. The nice folks at NIST regularly test Blackberry systems and they continue to pass over and over earning the magic FIPS140-2 certification.
Throwing your arms up and screaming "screw it" indicates you are either joking or having a nervous breakdown and need to step down from your IT post. Layered defenses are effective because no one layer may be completely trusted. You have to make the best decision you can per layer and move on. In this situation it is easy. Continue to use only FIPS-140 approved devices. The encryption, security and central management on Blackberry is a lot better than the (none) on the other platforms.
At a large University, Windows XP licenses are trivally cheap. I believe at my last job $5. If you tell them you are running an experiment like this, it is even cheaper. People give M$ a bad rap on licensing. A lot of times it is cheaper than Red Hat when you have a number of computers.
Somehow they took my boring news of Moores's law - My seti@home and primegrid stats are moving 10x faster with my new laptop's gpu. They turned that into - IN THE FUTURE COMPUTERS MIGHT BE REALLY FAST AND MELT YOUR 1960s PASSWORD! It isn't exciting. Quantum computing will come with both encryption and decryption. Nobody cares what it does to your password from 15 years ago.
It was a DES hash. Which is why comparing to old windows is dumb. It is an old linux server compared to an old windows table lookup. If you look at the list of passwords that were found, they are all really easily brute forced, I don't think they used a DES rainbow table.
Windows 7 and Windows 2008 does not store passwords in the same format that Windoz 95, 98 did. You have to go in and manually specify that you want it to do LM or NTLM. Which I might add you can also do on any linux machine. So are linux passwords weak because you can specify a weak NTLM hash or MD5? Not because anyone in their right mind does? The thing that kills me on the "weak windows" argument here is that the only reason people usually enable old NTLM on a windows AD is to get some Mac or open source code to authenticate properly.
The problem with trying to prepare for an offline hash attack is that you can't. Well if you issue users yubikey or RSA tokens, then you can. But that is a little impractical. I would submit the idea that a strong password is still your best defense. And that the password listed was a poor example in this situation because with a modern windows or linux salt, it would take a very long time to get.
I don't think anyone has noticed that all the passwords in the hashes referenced have not been found yet. There are references to ALL accounts have been found, they have not at this point in time. Strong passwords in this situation have proven themselves. Also in most cases, when you have broken in to a machine to where you have access to that hash file, the password guessing game is over and moves on to replaced gina, keystroke logger, stolen hash etc. All the easy stuff. It comes back to the admin having a strong password and patching on time.
A little harder to block, yes I would agree, however even a botnet of 1 million computers all active on my pathetic site can only guess 5 million per hour. I would love to see your logs that are a clear show of botnet force. Doesn't happen to my company's webservers. (knock on wood) Still a long time until the example password gets cracked. So at the heart of this question- are strong passwords like "Fgpyyih804423" worthless because an old NTLM hash cracker with precalculated tables can hit it in 160 seconds? Absolutely not. The example does not belong in the article.
Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol.
Anyhow why is the windows example being used in this article at all?
Agreed, we implemented secure gmail at a fraction of the cost of running exchange. If you compare apples to apples, you need to be running clustered exchange, multiple DCs etc. Once you add in support staff, hardware, percent of datacenter and all the other costs, gmail is cheap even with the 10k a year we pay.
It has gone down a few times in the last 3.5 years of my company. It has not gone down as often as our redundant exchange solution at the previous university job.
Anonymous is correct about HIPAA/HITECH. I have a feeling the people above just read about it on a blog and have no real world experience. When one of our doctors sends patient data either in text or as an attachment we are covered. Postini(gmail) allows you to create all of the RegEx rules you want to filter. It will notify and or block any email containing the PHI you have chosen to filter.
Sometimes slashdot is frustrating because we have so much good knowledge, but people who want to flame jump on and do so. It muddies the waters where a lot of us do this for a job every day and have real experience.
Slashdot Mirror
Hi, I can help you understand many of these subjects. HIPAA as put forth by Centers for Medicare Services on behalf of the US Government has partnered with NIST to establish controls for protection of patient data. The end result being that HIPAA data is protected by FIPS-140-2 standards. PHIPA - I'm assuming the name I threw in, is the health regs modeled on the US HIPAA but used in Canada. The Ministry of Health decided to use US NIST FIPS 140-2 standards or better as well. Military uses a mix of FIPS 140-1 to 3 for normal stuff. Funny how the National Institute of Standards and tech would implement standards for the nation. Lazy example 1 you provided is an inaccurate example, I don't think you read the last paragraph, or that you understand the difference between breaking encryption on the phone vs breaking the transmission protocol from phone to carrier. Any phone besides blackberry on the carrier to phone has next to nothing. Lazy example 1 has been mitigated by blackberry. Lazy example 2 - Ok, that is a good example os poor implementation. But so incredibly easy to mitigate, I'm not sure why you linked it. I don't know anyone who uses blackberry desktop, not a BES server. And even if you did use blackberry desktop, your hard drive will already be encrypted to nist fips-140-2 standars if you are in this business anyway. Thanks for the link, I didn't see it. But stupid example. Trolling? I'm open to a nice discussion, you know, what slashdot is supposed to be. IT folks exchanging information. The information I would exchange back to you - in your threat assesment of Blackberry, look at the statistics involved in risk management on this subject. The biggest risk is loss/theft of the physical device. Not backups, not data transmission. You know, #1 in the NIST/FIPS security cycle- Identify the problem. Next line- no phone is secure. Agreed, if there are no wires and no radios, the more it is like a hunk of granite, a device is more secure. But there are more secure devices than others and I stand by my premise that a blackberry is more secure than an iphone and a google phone. I was trying to use an easy example to show you that one device was more secure than the other with the youtube search. I guess the youtube numbers game was not a good choice to try to convince you. I am aware of many problems with modern encryption. Most require more $ worth of GPU power than my data is worth. I'm not interested in the theoretical fun you are. I'm interested in the practical implementation of these technologies. I am also interested in protecting my company from monetary losses incurred from failing to observe federal regulations for processing patient data. I suppose the big difference is that I'm prepared for a US court, you are prepared for what, writing a book about conspiracy theory? At this point I abandon my customer service practice and move on to begging you to put your tinfoil hat back on. (don't forget to run a line to earth ground or it doesn't work)
You have a funny sense of humor. I do like the rotary dial phone on your desk.
I am fairly well versed on FIPS standards for both HIPAA, PHIPA and rusty on DoD work. I 'try' every day... Please return to your assertion that blackberry encryption is weak and comprimised. I will state my challenge to you again in simple plain terms so you might understand before replying this time. 1. Cite articles from sources displaying proof of your assertion. I can't find any. Perhaps you could inform NIST of these breaches so that they can remove the offender from the certified list. 2. Provide details on why cracking iphone encryption comes up a lot on youtube, and blackberry not at all. Here is my link for abundant proof of my claim.- http://tinyurl.com/28wesd6 I'm patient. Take your time.
My first post did not make the assertion that an I enable *any* specific algorithm. My second post did not make an assertion that I was relying on a single algorithm. If you would like to engage an issue I spoke of, please do. I do not understand the tangent you are on.
I challenge you to cite some examples of PGP, Credant, Truecrypt, or Checkpoint disk encryption failing to patch their whole disk encryption. I'll come up with a list many times bigger with holes that are patched. I am here because my job depends on it and I need to keep an open mind. Please educate me.
1. purchase license for remote recovery service. 2. enable service on laptop bios, encrypt drive, enable intel kill switch. 3. now I can see all computer's GPS history in a nifty web portal. It has pretty maps and charts, good manager bait. Now I can set fences based on country, state etc to start a wipe and shut down if it leaves that fenced area. 4. User reports stolen laptop, we report to security service. 5. Remote wipe sensitive directories, execute any custom commands. 6. Alert cops to pick it up, start a timer for kill switch based on battery life. 7. Cops don't pick it up, battery is low, disable machine completely with intel switch (only new part here). If you own a laptop, get in the bios right now and look for computrace activation. If it is a business class machine, it is already there and has been for years. If you don't like it, don't get an aircard. All of this technology is up and running for me and a lot of other corporations. If you don't like it, and you work for me, fine. Quit. If you are a home consumer, disable it. Every other service on your computer is equally vulnerable to unknown unwritten malware.
So you don't have a machine with a built in SSH port? (or remote desktop?) What is really harder? Building a virus to modify a modern BIOS or execute RM -rf? The point of most malware is not to render the computer useless. It is to use the computer in a botnet or extract valuable information. Now where was that tinfoil hat? Maybe I am missing something obvious.
Absolute=lojack the parent company. These guys are late to the big brother party. Lenovo, Dell, HP all come with the SMS activation with no power and gps tracking support in the BIOS. The icing on this cake is that when I report a machine stolen now, sms message goes out, activates gps, cops go after it, and the processor is disabled so if the battery does run out, the machine is useless. The comment 2 up-- You didn't read my comment. We encrypt our drives. While once in a while a crack comes out for this, it gets patched pretty quick. I'm not concerned. I just read a little more, you have to enable it in the BIOS, doesn't come by default. You can also have the full functionality restored.
While I wouldn't say it isn't possible for someone to break in and kill your machine, it isn't likely. We have been using Absolute software's offering and have been able to do remote wipes on laptops for a long time now. Nobody has broken in and wiped out all the computers with this technology. That being said, do you really think IT who implements this doesn't have a backup? And that our legal departments wouldn't get fair compensation if said "gotcha" really occurs? I would rather have the ability to disable a phone or pc in any way possible when I need it to happen. For the comment above about just moving the hard drive to another machine.. Really? Who goes through the trouble of enabling this, and paying monthly for the service and just skips the whole drive encryption bit? My vote is go Intel.
In my experience, things that have undergone more testing generally tend to have better performance. NIST tests the devices, algorithms, policy, etc. They don't wave a magic wand that makes it more secure or take a payoff to say it is just compliant as you state. Saying that no security measure is 100% to prove a point is gutless. Of course it isn't, but a security plan with more thought and research is more effective at meeting it's goals than none. Have countries outlawed iphone because the encryption is too difficult for government agencies to tackle? If it is so easy, why does this happen? Maybe you can link some examples and educate us. I am often wrong and would like some help if this is the case. I find a lot of youtube videos showing any idiot how to break in to any iphone OS version, where are the videos for Blackberry? I for one feel more comfortable having grandmas's ssn on some doctors blackberry than his iphone. Judging from your other flamebait comments, I think I am wasting my keystrokes here.
I disagree with most of the comments here. In my opinion the solution is to continue to use Blackberry and ban iphone, google and MS phones from uses that require security. The nice folks at NIST regularly test Blackberry systems and they continue to pass over and over earning the magic FIPS140-2 certification. Throwing your arms up and screaming "screw it" indicates you are either joking or having a nervous breakdown and need to step down from your IT post. Layered defenses are effective because no one layer may be completely trusted. You have to make the best decision you can per layer and move on. In this situation it is easy. Continue to use only FIPS-140 approved devices. The encryption, security and central management on Blackberry is a lot better than the (none) on the other platforms.
At a large University, Windows XP licenses are trivally cheap. I believe at my last job $5. If you tell them you are running an experiment like this, it is even cheaper. People give M$ a bad rap on licensing. A lot of times it is cheaper than Red Hat when you have a number of computers.
Somehow they took my boring news of Moores's law - My seti@home and primegrid stats are moving 10x faster with my new laptop's gpu. They turned that into - IN THE FUTURE COMPUTERS MIGHT BE REALLY FAST AND MELT YOUR 1960s PASSWORD! It isn't exciting. Quantum computing will come with both encryption and decryption. Nobody cares what it does to your password from 15 years ago.
DES on gawker, here is a link showing you that it wasn't rainbow tables at all. Once again, I'll just say the article above makes no sense. http://www.guardian.co.uk/technology/blog/2010/dec/13/gawker-hacked-password-change
It was a DES hash. Which is why comparing to old windows is dumb. It is an old linux server compared to an old windows table lookup. If you look at the list of passwords that were found, they are all really easily brute forced, I don't think they used a DES rainbow table.
Windows 7 and Windows 2008 does not store passwords in the same format that Windoz 95, 98 did. You have to go in and manually specify that you want it to do LM or NTLM. Which I might add you can also do on any linux machine. So are linux passwords weak because you can specify a weak NTLM hash or MD5? Not because anyone in their right mind does? The thing that kills me on the "weak windows" argument here is that the only reason people usually enable old NTLM on a windows AD is to get some Mac or open source code to authenticate properly. The problem with trying to prepare for an offline hash attack is that you can't. Well if you issue users yubikey or RSA tokens, then you can. But that is a little impractical. I would submit the idea that a strong password is still your best defense. And that the password listed was a poor example in this situation because with a modern windows or linux salt, it would take a very long time to get. I don't think anyone has noticed that all the passwords in the hashes referenced have not been found yet. There are references to ALL accounts have been found, they have not at this point in time. Strong passwords in this situation have proven themselves. Also in most cases, when you have broken in to a machine to where you have access to that hash file, the password guessing game is over and moves on to replaced gina, keystroke logger, stolen hash etc. All the easy stuff. It comes back to the admin having a strong password and patching on time.
A little harder to block, yes I would agree, however even a botnet of 1 million computers all active on my pathetic site can only guess 5 million per hour. I would love to see your logs that are a clear show of botnet force. Doesn't happen to my company's webservers. (knock on wood) Still a long time until the example password gets cracked. So at the heart of this question- are strong passwords like "Fgpyyih804423" worthless because an old NTLM hash cracker with precalculated tables can hit it in 160 seconds? Absolutely not. The example does not belong in the article.
Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?
Agreed, we implemented secure gmail at a fraction of the cost of running exchange. If you compare apples to apples, you need to be running clustered exchange, multiple DCs etc. Once you add in support staff, hardware, percent of datacenter and all the other costs, gmail is cheap even with the 10k a year we pay. It has gone down a few times in the last 3.5 years of my company. It has not gone down as often as our redundant exchange solution at the previous university job. Anonymous is correct about HIPAA/HITECH. I have a feeling the people above just read about it on a blog and have no real world experience. When one of our doctors sends patient data either in text or as an attachment we are covered. Postini(gmail) allows you to create all of the RegEx rules you want to filter. It will notify and or block any email containing the PHI you have chosen to filter. Sometimes slashdot is frustrating because we have so much good knowledge, but people who want to flame jump on and do so. It muddies the waters where a lot of us do this for a job every day and have real experience.