×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

U.S. Gov't To Use Full Disk Encryption On All Computers

timothy posted more than 7 years ago | from the double-secret-probation-rot-13 dept.

Encryption 371

To address the issue of data leaks of the kind we've seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers. "On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The U.S. Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the U.S. federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to an end in 90 days. You can view all the vendors competing and list of requirements."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

371 comments

But why? (2, Funny)

timeOday (582209) | more than 7 years ago | (#17387786)

I mean, if you have nothing to hide, you have nothing to fear, right?

Re:But why? (0)

Anonymous Coward | more than 7 years ago | (#17387808)

I, for one, welcome our new disk-encrypting overlords....

Re:But why? (1)

reset_button (903303) | more than 7 years ago | (#17387890)

I don't think it's about hiding things from the people - it's preventing people from accessing people's private data. Think about the person that works for the IRS that has your tax records on his laptop, or the person that works for the FBI that has information about ongoing criminal investigations. You get the idea.

I hope they end up doing this in hardware. I know people who have worked for companies that required software-based encryption, and turned it off because it was too slow. With hardware, you get less overhead, and the average worker won't be able to turn it off.

Software encryption AND anti-virus apps. (1)

khasim (1285) | more than 7 years ago | (#17388192)

If you want to talk about S L O W.

Every file opened is decrypted, scanned and then viewed.

Re:Software encryption AND anti-virus apps. (1)

reset_button (903303) | more than 7 years ago | (#17388324)

I agree with you, but want to point out that it is not necessary for anti-virus apps to read the entire file on open. Instead, they can keep state on what they have checked in the file so far (and what parts of what signatures have been matched), and check for viruses on read/write operations. I don't know of any real-world apps that do this, but I know of one research project [sunysb.edu].

Re:But why? (3, Insightful)

SatanicPuppy (611928) | more than 7 years ago | (#17387910)

Meh, they try to hide stuff all the time now, and how many things do we find out because someone left it written up on a poorly secured computer? Government "transparency" always depends on people on the inside leaking the information.

On the other hand, they're losing laptops full of veteran's records on a monthly basis. Either they need to take better care of the data, or they need to put tighter controls on who has access to the data.

IT'S ABOUT FREAKING TIME! (3, Insightful)

Crudely_Indecent (739699) | more than 7 years ago | (#17388010)

It's not about having something to hide, it's about protecting the info present within. How many gov't laptops containing personal information of citizens or groups have been stolen in recent history?

Large corporations that deal with private data from their customers should also be required to use full-disk encryption as well. In fact, I recommend some form of encryption for sensitive data to everyone.

Re:But why? (0, Offtopic)

dekropisvol (801636) | more than 7 years ago | (#17388244)

Until your President signs a law for what is common at the moment, it won't be after this and all your activities are monitored till years ago. Nice to have a friend in your cell who want's to have sex with you, only for walking funny before singing the law against funny walks. DON'T WALK FUNNY

Excel? (0)

Anonymous Coward | more than 7 years ago | (#17387822)

Figures they'd have to put the list of vendors in an Excel spreadsheet which I cannot read at the moment.

List as Text (1, Informative)

Anonymous Coward | more than 7 years ago | (#17387978)

Apptis, Inc.
AT&T
AT&T Government Solutions
Betis Group, Inc.
CDWG
CipherOptics Corporation
CREDANT Technologies
David E. Sherrill & Associates
Decru, Inc.
Dell Inc.
Encryption Solutions, Inc.
EWA
General Dynamics
Green Hills
GuardianEdge Technologies
Halliburton Data Security
Harris Corporation
I.D. Rank
immixGroup
infoLock Technologies
Information Security Corporation (ISC)
Ingrian Networks, Inc.
Intelligent Decisions, Inc.
Kanguru Solutions
L-3 Communications
Liquid Machines
Mary Fuller & Associates, LLC
McAfee, Inc.
Meganet Corporation
Merlin International, Inc.
Microsoft Corporation
MITA Group
Mobile Armor
NetApp
Onix Networking Corp.
Plans, Programs & Policy (P3) Consulting LLC.
PointSec Mobile Technologies
Progeny Systems Corporation
Rocky Mountain Ram
SafeNet
SCO
Seagate Technology
SolCent Corporation\
Sprint Nextel
SPYRUS, Inc
Sybase, Inc.
TECHSOFT, Inc
Telos,
Trust Digital,
ViaSat
Vormetric, Inc.
Wave Systems Corp,
Zelinger Associates, Inc.

Eh. (5, Insightful)

SatanicPuppy (611928) | more than 7 years ago | (#17387830)

Well, on the one hand, it's a good idea to encrypt machines that contain sensitive data.

On the other hand, this is just a bandaid on their terrible information policy...The reason that they have to encrypt a zillion machines is because they store sensitive personal data on a zillion machines. Then there are multiple operating systems, levels of security, etc. All this means that compromising one machine will still be pretty easy, because when you have encryption on the crappy desktop in the mailroom where everyone surfs porn, you stop taking it seriously.

They could kill the whole problem by centralizing their data stores, and developing some secure web interfaces across enhanced encryption. That way, instead of trying to encrypt every machine, you could encrypt 50 data centers and control access locally...Hell, if I were the government I'd push all my software needs toward think clients and terminal services anyway...The average user doesn't need more, and that makes all your security problems more managable.

Re:Eh. (1)

Billosaur (927319) | more than 7 years ago | (#17387904)

They could kill the whole problem by centralizing their data stores, and developing some secure web interfaces across enhanced encryption. That way, instead of trying to encrypt every machine, you could encrypt 50 data centers and control access locally...Hell, if I were the government I'd push all my software needs toward think clients and terminal services anyway...The average user doesn't need more, and that makes all your security problems more managable.

Why would government people need to be dragging this stuff home on their laptops anyway? In this era of high bandwidth connections and VPN, why can't the data be accessed from home or via laptop without it existing physically on the hard drive? I mean, when you think about it, they could just print the data out on paper and lose that as easily, but it seems that the idea is to create centralized, secure data stores, not to allow multiple copies of the same data to go floating around. If nothing else, data dropped on a HD may get out of synch with the original data, leading to errors.

Re:Eh. (1)

pizpot (622748) | more than 7 years ago | (#17388018)

Why would government people need to be dragging this stuff home on their laptops anyway?

This is not an IT question but a human one. You may as well ask:

Why would employees export files out of the database and copy them to their laptop rather than deal with the a network database managed by a phone desk IT department. Or, rather than deal with using a mainframe and a dumb terminal in the office and not using a laptop.

Yes they are just avoiding the IT department as much as possible. Haha. Just like in every organization, it needs to be broken up and distributed or something.

Re:Eh. (2, Insightful)

axcessor (1044434) | more than 7 years ago | (#17388084)

While centralization of data storage is a good idea, it would not solve the entire problem. There are still multiple vectors for data leaks including USB drives, CDR, web-based email or forums, or even network transfers. Thin clients were a nice thought but a flash in the pan for the most part. No one has been able to make them practical. Blame the bloated OS's for that one.

Re:Eh. (1)

bbernard (930130) | more than 7 years ago | (#17388106)

"They could kill the whole problem by centralizing their data stores, and developing some secure web interfaces across enhanced encryption."

Belts and Suspenders. Doing both would be even better. Besides, how do you prevent that government worker from saving a local copy? How do they do their work on a plane trip across country? How else do you ensure that the web cache, paging file, or any other place where even temporary data stored on the local hard drive is going to be protected?

This is a great development, and having a body such as the US government doing a trial like this and sharing the results will be a wonderful resource for InfoSec people looking at the same situation. I'd love to see what the rollout plans look like.

Re:Eh. (1)

msobkow (48369) | more than 7 years ago | (#17388412)

It also means that even if physical evidence is seized, the people won't be able to get at the data necessary to prove graft or corruption. :(

The governments wanted a repository of keys, a back door to spy on the population. Turn about is fair play.

Bend over.

File formats (0, Offtopic)

1u3hr (530656) | more than 7 years ago | (#17387834)

Interesting the specifications are supplied in:
DOC
DOC
XLS
DOC
DOC
DOC
PPT
PDF
DOC

So much for open formats.

Re:File formats (0)

Anonymous Coward | more than 7 years ago | (#17387882)

Of course. After all, these formats are more secure, no exploits ever found! Suits US Govt.

Great Business Opportunity (1)

Zeek40 (1017978) | more than 7 years ago | (#17387840)

Time to start a business who's only service is reformatting and reinstalling disk images after federal employees forget their encryption keys/ passwords.

Re:Great Business Opportunity (1)

SRA8 (859587) | more than 7 years ago | (#17387974)

Good luck. You'll have IBM, BeringPoint, Booz and Accenture overbidding you 300% and still winning the contracts.

Don't lose your pass-key (4, Funny)

G27 Radio (78394) | more than 7 years ago | (#17387846)

In order to prevent the loss of pass-keys to these machines (and the resulting loss of important information,) users will be required to keep a copy of the pass-key taped to the bottom of their computers.

Re:Don't lose your pass-key (1)

Capt James McCarthy (860294) | more than 7 years ago | (#17387962)

"In order to prevent the loss of pass-keys to these machines (and the resulting loss of important information,) users will be required to keep a copy of the pass-key taped to the bottom of their computers."

Don't you mean taped to their forehead?

Re:Don't lose your pass-key (5, Informative)

Frosty Piss (770223) | more than 7 years ago | (#17388318)

In order to prevent the loss of pass-keys to these machines (and the resulting loss of important information,) users will be required to keep a copy of the pass-key taped to the bottom of their computers.

The Air Force currently requires ( in addition to the use of a "Smart Card" plugged into the machine to gain access ) a 15 char password consisting of 3 caps, 3 lower, 3 numbers, and 3 special char ( the rest is up to the user ), no proper names, dictionary words, more than 3 letters or numbers in sequence ( back or forward ), must not be the same or simular to your last 25 passwords, and you must change it every 90 days.

The net result is that most people are writing it down and storing it in some easy to access place. Previously, we had an 8 char pass that required 2 caps, 2 lower, 2 special, 2 numbers... It was short enough that you could actually remember it.

PS... (3, Interesting)

Frosty Piss (770223) | more than 7 years ago | (#17388348)

I'm sorry, I should have said, this is in AMC ( Air Mobility Command ) within the AIr Force. The rest of the Air Force may be the same, but I don't know that.

Re:Don't lose your pass-key (1)

sgt.greywar (1039430) | more than 7 years ago | (#17388448)

The Army is adopting the 15 character password policy as well. Additionally most systms are now auto-generating these passwords instead of allowing the user to create them. This means that for people with multiple accounts they have totally dissimilar 15 character passwords to "remember" and by remember I mean either write down in easy to grab notebooks, or composing emails to themselves listing all their passwords in them. Moronic.

Re:Don't lose your pass-key (1)

MasterC (70492) | more than 7 years ago | (#17388380)

...users will be required to keep a copy of the pass-key taped to the bottom of their computers.
I know you are kidding, but the truth isn't that far off. Someone I know's mother (names, exact relationship to me, and organization intentionally withheld) works for the government. The laptop had a BIOS password, which was written on a slip of paper in the laptop case. Her password for the account involved *only* the current month and year. And this was acceptable per policy as of a few months ago.

If I can't trust the government to keep information secret, then why should I trust them to do anything?

Will this impact private firms as well? (1)

Scothoser (523461) | more than 7 years ago | (#17387850)

This is great news, and something that I wish a lot of companies would implement as well. What's really interesting is the comparison. I'm looking forward to the results, and see which vendor is chosen.

Of course, this brings up another question: Just how much is this going to cost the taxpayer? Granted, it should be spent regardless as government information about private citizens (i.e., social security numbers) should be protected at all costs, but if the final cost structure is less than many companies estimate, it could mean an implementation of this same scale across the business world. Imagine, no more calls or letters from your bank/credit union that your financial information and social security number has been stolen.

Re:Will this impact private firms as well? (2, Insightful)

Qzukk (229616) | more than 7 years ago | (#17388122)

Granted, it should be spent regardless as government information about private citizens (i.e., social security numbers) should be protected at all costs

Well, this should be fully analyzed to see whether it's actually going to protect anything, or whether it's just "Something must be done! This is something my brother who runs this one company told me about, therefore we must do it!" For instance, laptops are involved in the majority of data loss cases. If someone suspends a laptop and sets it down somewhere, will the OS purge the key from memory so that when Evil Dude picks it up he can't simply resume with full access to the drive? What about cases where people close the lid thinking the laptop will automatically hibernate, but for whatever reason it doesn't?

Here's a thought for you: how much would it cost me to get the government to quit putting sensitive information on so many laptops?

List of vendors (0)

Anonymous Coward | more than 7 years ago | (#17387854)

Vendor POC Title POC Email Phone Number Mobile Website

Apptis, Inc. Bill Daus Sr. Manager, Business Development william.daus@apptis.com 703-272-7489 www.apptis.com
Apptis, Inc. Vic Jevsevar Business Development victor.jevsevar@apptis.com 239-283-1840
AT&T Kathy A. Ball Program Manager kball@att.com 443-259-8100
AT&T Government Solutions John C. Nagengast Director, Business Development nagengast@att.com 443-259-8366
Betis Group, Inc. Ron Hietala Director of Contracts RHietala@betis.com 703-532-2008
CDW•G Will Dolan Proposal Manager willdol@cdwg.com 703-262-8077
CipherOptics Corporation Jim Drain Federal Sales Director jim.drain@cipheroptics.com 703-547-7022
CipherOptics Corporation Mike Rose Federal Business Development Manager mike.rose@cipheroptics.com 301-432-0444
CREDANT Technologies Peter Morrison Dir Federal Operations pmorrison@Credant.com 703-282-6622
CREDANT Technologies Eric Hay Sr. Systems Engineer ehay@credant.com 703-517-0290
CREDANT Technologies Don Moran Account Executive dmoran@credant.com 703-969-7562
CREDANT Technologies Diane Pearson Sr Acct Exec dpearson@Credant.com 703-754-3778
David E. Sherrill & Associates David E. Sherrill President vsys2@comcast.net 703-481-4745 703-403-8582
Decru, Inc. Bill Harrison Account Executive, USAF billh@decru.com 703-499-6273 703-499-6273
Dell Inc. Joe Ayers Area Vice President joe_ayers@dell.com 703-622-3316
Encryption Solutions, Inc. Robert Cabanya Executive Director rcabanya@hotmail.com 484 824-1395 703 394-2362
Encryption Solutions, Inc. Kathy Powell Consultant KPowellConsults@aol.com 703-283-1175
EWA Chris Wickman Program mgr/Senior Analyst cwickman@ewa.com 571-283-5659
General Dynamics Julian Bubrouski Director of Engineering Julian.Bubrouski@gdc4s.com 781-455-3111
General Dynamics Deborah Cremin Business Development Manager Debbie.Cremin@gdc4s.com 781-455-5411
General Dynamics Ken Heist Business Development Manager ken.heist@gdc4s.com 410-487-0200
Green Hills John Warther Director of Government Programs john.warther@ghs.com 443-340-7881 443-340-7881
GuardianEdge Technologies Ray Ciesinski DOD Account Manager rayc@guardianedge.com 703-346-8777
GuardianEdge Technologies Andrew Oliver Senior Engineer aoliver@guardianedge.com 207-671-1127
GuardianEdge Technologies Dave Barrish Director, Channel Sales dbarrish@guardianedge.com 410-409-5839
GuardianEdge Technologies Bob McLernon Vice President rmclernon@guardianedge.com 240-818-8172
Harris Corporation Rick Blankenship Major Account Manager rblank02@harris.com 703-739-1932 703-303-0678
I.D. Rank Scott Cary Marketing Manager Scott@MTGC-Inc.us 877-566-2274
immixGroup Steve Limbert Senior Account Manager steve_limbert@immixgroup.com 703-752-0657 703-862-5194
immixGroup Steven Charles Co-Founder & EVP steve_charles@immixgroup.com 703-752-0630 301-332-0797
immixGroup Brian Begley Senior Account Manager brian_begley@immixgroup.com 703-752-0637 703-869-7201
infoLock Technologies Sean Steele CEO ssteele@infolocktech.com 703-310-6478
infoLock Technologies Chris Wargo President cwargo@infolocktech.com 703-310-7408
Information Security Corporation (ISC) Andy McDermott Vice President, Sales amcdermott@infoseccorp.com 585-370-3831
Information Security Corporation (ISC) Mike Markowitz Vice President, Technology markowitz@infoseccorp.com 708-445-1704
Ingrian Networks, Inc. Matt Fierce Federal Acct Manager mfierce@ingrian.com 703-597-2111
Ingrian Networks, Inc. Paul Earsy Distributed Encryption Specialist earsy@ingrian.com 508-308-3695
Ingrian Networks, Inc. Wayne Pambrun Director, Federal wpambrun@ingrian.com 703-655-4649
Intelligent Decisions, Inc. Gino Antonelli Executive Vice President gantonelli@intelligent.net 703-554-1610 703-203-5067
Intelligent Decisions, Inc. Harry Martin President hmartin@intelligent.net 703-554-1777 703-623-6758
Intelligent Decisions, Inc. Roy Stephan Dir of Cyber Security rstephan@intelligent.net 703-868-4534
Intelligent Decisions, Inc. Beth McCall Director, Federal Sales bmccall@intelligent.net 800-929-8331 703-473-0427
Intelligent Decisions, Inc. Feroze Ahmed Business Development fahmed@intelligent.net 703-554-1627
Kanguru Solutions Kevin Landt Marketing Development Manager kevinl@kanguru.com 508-376-4245
L-3 Communications Oriano Radolovic Technical Director Oriano.Radolovic@L-3Com.com 856-338-5646
L-3 Communications Dave Kelly Manager of Business Development David.Kelly@L-3Com.com 856-338-4940
Liquid Machines Chris Garner Manager, Defense & Intel cgarner@liquidmachines.com 301-257-9195
Liquid Machines Keith Johnson VP, Public Sector kjohnson@liquidmachines.com 703-615-3271
Liquid Machines Ari Miller Technical Engineer amiller@liquidmachines.com 443-270-4286
Mary Fuller & Associates, LLC Mary Fuller President maryfuller@cox.net 703-266-5983 703-819-3139
McAfee, Inc. Joe Budway Account Manager jbudway@mcafee.com 703-885-4835 703-927-4271
Meganet Corporation Laura Callahan CTO rd.ll.callahan@att.net 800634-2638 www.meganet.com
Merlin International, Inc. Linda Baldwin Director lbaldwin@merlin-intl.com 703-752-5484 703-795-4112
Merlin International, Inc. Suzanne Trevisan Business Development Manager strevisan@merlin-intl.com 703-752-5478 571-332-7180
Merlin International, Inc. Don Tiaga USAF Business Development dtiaga@merlin-intl.com 703-752-8369 571-236-1111
Microsoft Corporation Tim Dioquino Enterprise Architect timdio@microsoft.com 703-628-4754
Microsoft Corporation Ed Leary Windows Client TS (Vista) edleary@microsoft.com 410-978-4633 410-978-4633
MITA Group David Dzergoski Principal dzergoski@mitagroup.com 410-206-9078
Mobile Armor Chand Vyas Chairman and CEO chand@mobilearmor.com 636-449-0239
Mobile Armor Bryan Glancey Chief Technology Officer bryan@mobilearmor.com 636-449-0239
Mobile Armor Keith Fuentes Vice President, Sales Keith@mobilearmor.com 636-449-0239
Mobile Armor Lori Davis Government Sales Manager ldavis@mobilearmor.com 703-626-8481
Mobile Armor Rick Macchio System Engineer Rick@mobilearmor.com 301-805-4926
NetApp Dave Farling Global Enterprise Manager, AF Farling@netapp.com 703-918-7313 571.276.0295 http://www.netapp.com/
NetApp Burke Wilford Account Manager wilford@netapp.com 703-918-7348
NetApp Michael Walsh Sales Mwalsh@netapp.com 703-627-9200
NetApp Richard Siegismund USAF Programs Manager RichS@netapp.com 703-918-7363 703-754-9003
NetApp Scott Susi Account Manager susi@netapp.com 703-918-7339
Onix Networking Corp. Dal VanDervort Federal Government Group dal@onixnet.com 440.871.0295 www.onixnet.com
Plans, Programs & Policy (P3) Consulting LLC. Will Marsh Partner Will.marsh@p3consultingllc.com 703-560-8051 703-862-9123
PointSec Mobile Technologies David Steinman DoD Account Manager david.steinman@pointsec.com 703-328-5502 http://www.pointsec.com/
PointSec Mobile Technologies Eric Beasley Product Manager eric.beasley@pointsec.com 708-224 7724
PointSec Mobile Technologies Mikel M Draghici Federal Engineer Manager mikel.draghici@pointsec.com 301-869-4411
Progeny Systems Corporation Marsden Davis Director mdavis@progeny.net 703-368-6107
Rocky Mountain Ram Marty DiSanto Northeast Manager mdisanto@ram-it.com 800-363-6880
Rocky Mountain Ram Lisa Schaeffer CEO/Owner lisa@ram-it.com 800-543-0932
SafeNet John Raymer VP, Government Solutions trussell@safenet-inc.com 703.647.8405 443.794.5723
SafeNet Davin Baker System Engineer dbaker@safenet-inc.com 443-327-1488
SafeNet Brian Price System Engineer bprice@safenet-inc.com 443-327-1310
SafeNet Tim Russell VP Government Solutions trussell@safenet-inc.com 703-647-8405
SafeNet Deepak Kanwar Director dkanwar@safenet-inc.com 443 327 1561
Seagate Technology Dr. Michael Willett Senior Director: Security Research michael.willett@seagate.com 919-848-4448 412-225-1512
SolCent Corporation Michael W. Rankin Chief Executive Officer michael.rankin@solcent.com 703-599-1535 www.solcent.com
SolCent Corporation Ximena Velasquez Executive Vice President ximena.velasquez@solcent.com 240-462-7940
Sprint Nextel John Tigani Solution Engineer John.A.Tigani@sprint.com 703-689-7560 703-862-1079
SPYRUS, Inc Rich Skibo Director, Business Development rskibo@spyrus.com 732-329-6006
SPYRUS, Inc Jay Hoffmeier Technical Director jhoffmeier@spyrus.com 703-250-7753
Sybase, Inc. Brian Jenkins Strategic Account Executive - DoD brian.jenkins@sybase.com 301-896-1001 202-372-7112
Sybase, Inc. Paul A. Horan Principal Systems Consultant paul.horan@sybase.com 301-896-1080 716-863-7938
TECHSOFT, Inc Robert G. David Vice President of Operations rgdavid@techsoft.com 850-469-0086
Telos Mark Proefrock Account Executive mark.proefrock@telos.com 703-724-3797
Telos David Tong Account Executive david.tong@telos.com 703-724-3603 571-426-6411
Trust Digital Jean Wang Director - DoD jwang@trustdigital.com 919-609-8857 http://www.trustdigital.com/
Trust Digital Sharon Payne Director - Business Development spayne@trustdigital.com 703-966-6199 http://www.trustdigital.com/
ViaSat Carl N. Hansen Program Manager Carl.Hansen@ViaSat.com 410-689-4706 813-220-2376
Vormetric, Inc. Joe Faxlanger Director, Federal Group jfaxlanger@vormetric.com 703-627-0711
Wave Systems Corp Steven K. Sprague President/CEO ssprague@wavesys.com 413-243-7011 www.wave.com
Wave Systems Corp Ronald Oxley Dir., Govt. Contracts roxley@wavesys.com 703-628-5008
Wave Systems Corp Martin Wargon Vice President Business Development mwargon@wavesys.com 561-752-4464
Zelinger Associates, Inc. Mark Zelinger President mzelinger@zassociates.net 703-891-2430 703-408-4209 www.zassociates.net

Damn the Spam! (0)

Anonymous Coward | more than 7 years ago | (#17388008)

I guess all of those e-mail addresses were public anyway.

Maybe they should have encrypted the list for protection. Encryption solves everything after all.

Re:Damn the Spam! (1)

jimstapleton (999106) | more than 7 years ago | (#17388390)

I still feel sorry for them? How many calls are they gonna get from slashdotters complaing that the files are not in an open format?

I know the people who's numbers are listed aren't responsible, but you can be sure there will be a number who act first, think later.

Why Full-Disk?? (1)

EccentricAnomaly (451326) | more than 7 years ago | (#17387856)

Why full disk encryption and not just the home directory?? Maybe things are so mixed up on Windows that you need full disk, but on OS X, Linux, and other Unixes it should be sufficient to encrypt only the home directory of users.

Are they just concentrating on a Windows-only solution that will lock out OS X and Linux??

As a government employee, I know there are a lot of people where I work who want to keep their Macs.

Re:Why Full-Disk?? (2, Informative)

oohshiny (998054) | more than 7 years ago | (#17387922)

Why full disk encryption and not just the home directory??

Because software frequently puts sensitive data in files outside your home directory.

Are they just concentrating on a Windows-only solution that will lock out OS X and Linux??

Linux supports full disk encryption. If OS X doesn't, well, it should, since home-directory-only encryption is not particularly secure.

But if users don't run as Administrators (1)

EccentricAnomaly (451326) | more than 7 years ago | (#17388022)

Because software frequently puts sensitive data in files outside your home directory.

If users don't run as administrators this can't happen. And I don't know of any Linux app that puts stuff outside home... and only a few Macs app do (and none should)

Re:But if users don't run as Administrators (0)

Anonymous Coward | more than 7 years ago | (#17388170)

Ever heard of /tmp?

Re:But if users don't run as Administrators (1)

BunnyClaws (753889) | more than 7 years ago | (#17388202)

Swap, data is passed through swap and not just admins will push sensitive information through it.

Re:But if users don't run as Administrators (1)

DrScotsman (857078) | more than 7 years ago | (#17388248)

And I don't know of any Linux app that puts stuff outside home...

So I take it everything in your /tmp directory is owned by root, yeah?

Re:Why Full-Disk?? (1)

Splab (574204) | more than 7 years ago | (#17388322)

Because software frequently puts sensitive data in files outside your home directory.


Never mind the software, what about the users? I work for a small organization, and users drop sensitive information all over their drives, depending on when they started working with computers and what kind of habits they acquired, Documents and settings is a fairly new concept.

Re:Why Full-Disk?? (2, Insightful)

RHIC (640535) | more than 7 years ago | (#17387948)

What about page files/swap space, application generated temporary files etc. There are plenty of places that potentially sensitive information could leak into on just about any OS.

But wouldn't full disk be easier to crack?? (1)

EccentricAnomaly (451326) | more than 7 years ago | (#17388250)

But can't you only encrypt directories where the user has write permission and leave the system files alone? If you are encrypting system files (that everyone has access to un-encrypted versions of) doesn't that make the encryption much easier to break.

Re:Why Full-Disk?? (0)

Anonymous Coward | more than 7 years ago | (#17387956)

RTFA. The DoD wants support for flavors of Windows, Mac OS, Symbian, RIM & Linux.

Why not only home directories? - Because data can make its way anywhere. Better be safe than sorry.

Re:Why Full-Disk?? (1)

BunnyClaws (753889) | more than 7 years ago | (#17387988)

From the requirements listed it doesn't appear this is just for Windows systems. I would also disagree with just encrypting home directory of your users on Linux systems. If you are going to go with a software encryption on Linux you need to encrypt more than just the home directory.
That being said software encryption is just weak and doesn't even compare to FDE.

Re:Why Full-Disk?? (2, Informative)

spellraiser (764337) | more than 7 years ago | (#17387998)

Are they just concentrating on a Windows-only solution that will lock out OS X and Linux??

From the requirements:

SUPPORTED OPERATING SYSTEM, HARDWARE, FIRMWARE (NOTE: Vendors must support one or more of the following operating systems and it is important if you support multiple)

Microsoft Windows 2000
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows Vista
Sun Open Solaris
Mac OS X
Windows Mobile 5.0
Windows CE
RIM/Blackberry
Palm
Symbian
Linux to include Red Hat, SuSE

Truth be told, this doesn't really say that much ... 'It is important if you support multiple' - what does that mean?

Re:Why Full-Disk?? (0)

Anonymous Coward | more than 7 years ago | (#17388178)

'It is important if you support multiple' - what does that mean?
They mean multiple OS support is the same as an 'I' in column two, i.e.

IMPORTANT (I) - the capability is important so additional points will be assigned for products providing these capabilities

Re:Why Full-Disk?? (1)

GodInHell (258915) | more than 7 years ago | (#17388150)

Why full disk encryption and not just the home directory?? Maybe things are so mixed up on Windows that you need full disk, but on OS X, Linux, and other Unixes it should be sufficient to encrypt only the home directory of users.
Sure, until some idiot user notices that placing his files in root makes them load marginally faster.. or on a share.. or in a memory dongel.. or in his e-mail.. stupid users... they ruin everything.

Seriously though, the less tech-saavy employees can be counted on to screw up through ignorance, and the tech-saavy will work around it because "they've got a good reason." People don't follow rules that aren't enforced - and on a PC that means all or nothing.

-GiH

Still think it's a pretty silly solution, but I can understand why it might appeal.

Re:Why Full-Disk?? (1)

jasonmicron (807603) | more than 7 years ago | (#17388162)

I seriously hope you were just trying to troll a little bit with that question.

Not everyone saves everything only in their home directories.

Re:Why Full-Disk?? (1)

Blakey Rat (99501) | more than 7 years ago | (#17388234)

The requirements call for multi-OS support. Also, there's virtual memory swap... it's not in the /home folder, (or \Documents And Settings or /Users) and it can quite easily contain sensitive information.

Re:Why Full-Disk?? (1)

wonkavader (605434) | more than 7 years ago | (#17388286)

Ok, on one hand, Yeah! WINDOWS SUCKS!

Ok, now that we have that out of our system, let's look at this logically.

The goverment is not planning on upgrading all their computers in order to do this. Neither are they planning to do some much, much harder: to verify that all the installed software is configured in such a way that it dosn't store information outside of the encrypted space, nor nail down systems so that their people cannot add software.

Yes, that would be much easier on Linux or OSX (or any just about any operating system) than on Windows. But it would be much, MUCH more labor intensive than their proposed solution no matter what OS they used.

What they're doing is a classic bad management decision which in a practical world is not an avoidable one. They're not spending the 40 hours per PC they need to now (utterly arbitraty number -- who really knows?) to change OS and apps, but spending an hour or less to do something which will slow down productivity (and increase data loss through hardware/user failure) for the life of the machine/employee.

What I'd like to see is a phase two of this project. Phase one, cripple everyone's machine so it's slow, but secure. Phase two, offer a program where you get a secured, fast laptop, where only one part is encrypted, but you can't boot it from anything but its one internal HD, can't single-user it, etc. can't add your own software, it phones home when it can to do centralized incremental backups of that secure area, patches, etc.

The second phase is harder and hits productivity more in the short term, but it makes a path where the machines and users get modernized, IT costs go way down, and in order to escape the sluggishness of the phase one change, some users will actually want this phase two solution. User buy in is the real key to such changes. If you don't get them to volunteer, they'll deliberately sabotage the project.

This whole thing is not a bad decision. Yet. If they install this on 486s and the machines turn into molassas, and they blunder forward on policy, such that workable machines become unworkable, and they don't upgrade them, such that people don't have computers, anymore, really... THEN, this will be a very bad decision.

Re:Why Full-Disk?? (0)

Anonymous Coward | more than 7 years ago | (#17388436)

This is not a management decision, it is a technical decision, at least for the security-minded. While it may have come from the big boss, a lot of us have been pushing this for some time. FDE is the only proper way to go here, and it isn't as slow as you think. I'm running it now on a 4+ year old laptop. I just hope we pick a decent system, some of the FDE products are very lacking or add useless features (single sign-on, easy password recovery).

Re:Why Full-Disk?? (1)

throx (42621) | more than 7 years ago | (#17388416)

Why full disk encryption and not just the home directory?? Maybe things are so mixed up on Windows that you need full disk, but on OS X, Linux, and other Unixes it should be sufficient to encrypt only the home directory of users.


Yes, Windows is rather mixed up but *nix puts sensitive data outside the home directories all the time. Take the following examples:

  • /var/log has dozens of email addresses, all sorts of handy info on networking connections etc.
  • Databases can exist pretty much anywhere, though usually in /var. These are where the real data leaks happen anyway, not in ~.
  • Consider a laptop that you just have access to for long enough to install a rootkit (using a boot cd)?


There's lots of good arguments for full disk encryption. The downsides are:

i) Key management and authentication. A USB dongle that you can lose along with the laptop, or a password policy that encourages people to tape post-its to their machines defeats any advantage.
ii) Retrofitting. Full disk encryption really requires BIOS level support in the true sense of the word.

Excel?!? Bah! (0)

Anonymous Coward | more than 7 years ago | (#17387858)

The list of competetors:
Apptis, Inc.
AT&T
AT&T Government Solutions
Betis Group, Inc.
CDWG
CipherOptics Corporation
CREDANT Technologies
David E. Sherrill & Associates
Decru, Inc.
Dell Inc.
Encryption Solutions, Inc.
EWA
General Dynamics
Green Hills
GuardianEdge Technologies
Harris Corporation
I.D. Rank
immixGroup
infoLock Technologies
Information Security Corporation (ISC)
Intelligent Decisions, Inc.
Kanguru Solutions
L-3 Communications
Liquid Machines
Mary Fuller & Associates, LLC
McAfee, Inc.
Meganet Corporation
Merlin International, Inc.
Microsoft Corporation
MITA Group
Mobile Armor
NetApp
Onix Networking Corp.
Plans, Programs & Policy (P3) Consulting LLC.
PointSec Mobile Technologies
Progeny Systems Corporation
Rocky Mountain Ram
SafeNet
Seagate Technology
SolCent Corporation
Sprint Nextel
SPYRUS, Inc
Sybase, Inc.
TECHSOFT, Inc
Telos
Trust Digital
ViaSat
Vormetric, Inc.
Wave Systems Corp
Zelinger Associates, Inc.

A couple points (1)

HBI (604924) | more than 7 years ago | (#17387860)

1. It's only a recommendation. Read it carefully.

2. DoD was already doing something with this but in its normal -very slow- manner. I don't expect it to be fully implemented for a couple years yet.

Shotgun (0)

Anonymous Coward | more than 7 years ago | (#17387862)

To address the issue of data leaks of the kind we've seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers.

Typical shotgun approach.

In the FAA each technician uses a laptop to document maintenance. In a addition, there may be a few terminal applications to communicate with equipment. Nothing secret or sensitive in there. A dual key password system is already in-place to upload logs to the central database, which is only accessible via the agency intranet anyway.

Believe me, these machines are already performance slaggards even without full-disk encryption.

Re:Shotgun (1)

SatanicPuppy (611928) | more than 7 years ago | (#17387976)

I was thinking about that. Every time I've had to do government work, I've been surprised at how many obsolescent pos's I see lying around in their data centers.

Are they going to push a hardware/software upgrade to get everything to a level where it can even run this stuff? Seems like a total waste. They need to virtualize, and they need to move things off local machines.

I predict (1)

yagu (721525) | more than 7 years ago | (#17387872)

I predict the government will lose more data this way than when storing data unencrypted. And, when they lose it this way, they won't be able to get it back. At least when they lose a stolen laptop and get it back, they usually still get their data.

And, stealing laptops isn't how people are trying to steal data from the government... stealing laptops is how people are trying to steal laptops. Those going after government data have better ways to approach it than stealing laptops.

So, when the government starts losing keys, and not finding anyone with the master key, we the people lose data. Hope it's not too important.

OTOH, the list of requirements is interesting... but, I remember the day of artificially created drives to save space on what used to be the precious commodity of hard drive storage. Can't remember the name of the product but it basically created a large blob on your drive and managed it transparently and compressed data into that blob. Of course that was fine until the first minor corruption.

Wouldn't it seem encryption is similar? It's hard enough to maintain perfect integrity with unperturbed data, what extra risk to failure does encryption introduce? There are so many points of potential corruption and failure: improper use (procedural); software bug introducing corruption; loss of keys resulting in lockout from data; incompatibilities with patches (regression testing for that is nice, but can't be perfect).

I'm not sure this is something the government can pull off.

Re:I predict (1)

SQL Error (16383) | more than 7 years ago | (#17388086)

I predict the government will lose more data this way than when storing data unencrypted. And, when they lose it this way, they won't be able to get it back. At least when they lose a stolen laptop and get it back, they usually still get their data.
The data isn't supposed to be on the laptops in the first place.

Re:I predict (1)

jofny (540291) | more than 7 years ago | (#17388212)

And, when they lose it this way, they won't be able to get it back.
Yeah, but no one else will get it either. Fail Closed vs Fail Open.

Those going after government data have better ways to approach it than stealing laptops.
This is true, but why open yourself up to dumb mistakes as well as targeted attacks? If you can just grab unencrypted data, why bother using something more complex to get it? Limit exposure. Besides, public opinion and CNN are huge drivers for the government, whether Slashdot (the plural) realizes it or not. If someone loses an unencrypted laptop and it makes the news, the media and people bemoan the lack of security...whether the losses are a real actual threat or not. If the data is encrypted, the government can at least focus on real threats instead of having to contend with (and be distracted by) uninformed public outcries as well.

Re:I predict (1)

Splab (574204) | more than 7 years ago | (#17388458)

Users should never ever have sensitive information on their laptop unless it's encrypted. And important data should NEVER EVER! only exist in one place. So if the laptop is lost with encrypted data, you lost a laptop, easy to replace and you just reload the information. If you on the other hand lose a laptop with unencrypted sensitive information you got all sorts of bad problems, ranging from stolen ID to blackmail and espionage.

Not only should they be able to pull it off, someone should be fired for not having this in place already.

Key Escrow is a requirement (1)

dilute (74234) | more than 7 years ago | (#17387900)

Note that in the requirements doc, one of the requirements is:

"Capable of secure escrow and recovery of the symetric [sic] encryption key"

Re:Key Escrow is a requirement (1)

meringuoid (568297) | more than 7 years ago | (#17387954)

Note that in the requirements doc, one of the requirements is: "Capable of secure escrow and recovery of the symetric [sic] encryption key"

Obviously. What they want is:

1) Halfwit employee loses laptop. Finder cannot recover data.

2) Halfwit employee forgets password. Government can recover data.

This is a no brainer!!! Try these: (0)

Anonymous Coward | more than 7 years ago | (#17387914)

I've been doing it for years on my deskie and lappy. I mean, why wouldn't you?
You can travel or leave your Pc on without the worry of script kiddies on a borrowed trojan cavalry:

Here's a freeware package working under Linux and Windows.
I've been using them both for years. Never lost an bit of data:
Command line, but easy anyway:

http://www.scherrer.cc/crypt/ [scherrer.cc]

Also PGP has encrypted volumes with a nice GUI, though not sure if it's still free.
They yanked it a few years ago which is why I went to ccrypt.

Have been a few others I've looked at, but the above cover the field nicely.

Sid by side competition? (4, Funny)

MrTester (860336) | more than 7 years ago | (#17387924)

Let me guess. The contract goes too....

Halliburtons new encryption subsidary.

Founded in 2006 by some guy who read a book on encryption.

Re:Sid by side competition? (-1, Troll)

Zontar_Thing_From_Ve (949321) | more than 7 years ago | (#17388222)

Let me guess. The contract goes too....

Halliburtons new encryption subsidary.


Halliburton Data Security is unfortunately among the companies competing for this contract.

It's to not too . To is a preposition. Too means "also".

You didn't pay attention in class when they went over possessives, did you? That "s" at the end of Halliburtons is supposed to be 's. At least you don't (apparently) think that all English plurals are made by sticking 's at the end.

You might also want to stick an "e" at the end of "Sid" in your title.

Please oh please tell me that English is not your native language or at least that you didn't go to school in the USA. I don't think you need to worry about encryption, dude. You've pretty much got that covered naturally by the way you spell and use grammar.

Re:Mod Parent Insightful (1)

mpapet (761907) | more than 7 years ago | (#17388292)

Not so much that Halliburon will get it, probably not.

But there's only a couple of IT contractors who handle stuff like this. And the way this works is the government wonks may select a product, but it's the IT project management firm that gets the contract to implement and this is where it starts going awry.

-The backroom politics is fierce and has nothing to do with public service. This is a good game of influence peddling where deep pockets wins. See the story last month where the details of Microsoft's dealings with Massachusets (sp?) after ODF was killed were dissected.
-Layers upon layers of management.
-Actual product vendor is squeezed for every last cent while the IT project managers get to bill time for squeezing their vendor.
-Implementation (if it ever gets that far) is handled by another firm with no interaction with the software vendor. And the IT project manager gets to squeeze the implementers and bill those hours as well.

This, ladies and gentlement is how even implementing a pilot project costs millions and never sees the light of day.

Hey, Government! (4, Funny)

Rob T Firefly (844560) | more than 7 years ago | (#17387960)

You've got to check out my hot new encryption scheme, I call it Rotational Oscillating Telecode no. 13. [wikipedia.org] Fill your tubes with this stuff and I personally guarantee it foolproof against criminals and terrorists and journalists in every single test performed in my personal data-protection laboratory (my basement) with highly alert and cunning test subjects (my cats.)

Bidding starts at $47 Million.

Re:Hey, Government! (1)

cain (14472) | more than 7 years ago | (#17388242)

ObReply:

Mine, ROT 26, is twice as secure and I'll charge you only half as much.

What for? (1)

Opportunist (166417) | more than 7 years ago | (#17387990)

As long as any corp or fed agency with any threadbare reason can have access to the data, why bother encrpyting it?

Oh, right, so the peasants won't... Ok, I'll shut up now, I got it.

Oh my (0, Offtopic)

ewhenn (647989) | more than 7 years ago | (#17388000)

In an unpredictable move the Bush administration has awarded the contract to.... Halliburton.

Gee, I wonder Who Will Get It ? (0, Flamebait)

el cisne (135112) | more than 7 years ago | (#17388028)

My Sense May Seem MoStly MiStaken, but no MyStery outcoMeS ManifeSt theMSelves.

Re:Gee, I wonder Who Will Get It ? (1)

cain (14472) | more than 7 years ago | (#17388120)

I think you may be MStaken. Halliburton is on the list.

Four easy steps (0)

VP (32928) | more than 7 years ago | (#17388036)

1. Make VMWare Player work on OpenBSD
2. Install OpenBSD on all government desktops and laptops.
3. Users who need a different OS, get an image of it, and run it with VMWare Player.
4. Profit!

No middle ground (1)

GodInHell (258915) | more than 7 years ago | (#17388070)

This has that sick feeling of a joke a tech threw out on the table to show a beurocrat that he was being stupid - only to have the beaurocrat say "we can do that!"


Still, I wish them well with their (even yet slower) technology.

-GiH

Nice. Proprietary documents (0)

Anonymous Coward | more than 7 years ago | (#17388080)

Publishing the contract information on Microsoft's proprietary document format? It goes to show how serious and knowledgeable those folks are. Incompetence..

NOT US Government (1, Informative)

Anonymous Coward | more than 7 years ago | (#17388118)

Go to http://www.fbo.gov/ [fbo.gov] and search for FA877107R0001

US Air Force

Agency: Department of the Air Force
Office: Air Force Materiel Command
Location: ESC - Electronic Systems Center

Doomed to software failures... (1)

mcdtracy (180768) | more than 7 years ago | (#17388152)

There have been several major computer projects that started as Government mandates.
Few have produced significant results...

Introducing encryption between the kernel and the hardware disk subsystem is bound to create
unexpected and unintended problems with applications. It's doable but the matrix of testing required
and the feedback loop with developers/vendors would have to be strong and immediate.

Can you imagine trying to debug an application that interoperates with an encrypted file system and
the encryption techniques are a secret...

It's going to be a mess but most government driven IT projects are nightmares anyway. Of course, no one
close to the project will be able to disclose any details. So, tech novelists need to start creating
plausible scenarios right away. "Wargames III - the day the laptops froze" : PLOT: the US Government believes their
portable computers have been hacked... in the end they determine it was a encryption software bug that
surfaced once every N years. (N to be determined by the potential funding for Wargames IV).

I'm going to see if I can get some encrypted business cards. Data needs protection... from use.

Re:Doomed to software failures... (5, Funny)

meringuoid (568297) | more than 7 years ago | (#17388260)

There have been several major computer projects that started as Government mandates. Few have produced significant results...

That reminds me, whatever became of that ARPANET thing they were all talking about way back?

I wonder if it's really "all computers" (1)

Phat_Tony (661117) | more than 7 years ago | (#17388194)

I wonder if they're really buying a single solution to use on ALL their computers- I mean, I wonder how the NSA would feel about that. I have the feeling that they feel they're secure enough already and aren't going to weaken their security using some off-the-shelf product instead of whatever they're using now. I wonder if this will pass quietly, or if anyone will try to force this prescribed method of security on them.

In general, this is another piece of typical monolithic bureaucracy command and control. Something the size of the federal government would probably be better off NOT going with a single mandated vendor. Just mandate the security policy- all government computers must have fully encrypted hard drives- along with sufficient stipulations to define what that means and how it works. Let branches find their own solution providers. If they want economies of scale, they're free to band together to research and purchase solutions. Or they can do it by branch, or a branch can just set the requirements and let each of their departments work it out. But let them try something different if they want to.

It maintains more competition in the marketplace. If some department is unhappy, they can switch without trying to get the entire federal government to switch. If a department's unhappy, the ask other departments about their providers and implementations. Get some freedom, variation, and competition into the process. Also, one crack wouldn't simultaneously render all government computers vulnerable.

Just hurry up (1)

alta (1263) | more than 7 years ago | (#17388218)

This is something I would like to do for all of my mobile users, and I prefer something that will work on older hardware like 3 years old, still a P4 laptop...

I'm sure what's good enough for them will be good enough for me. I like the 'no vendor back door' requirements... that should keep out MS.

Looks like they missed.. (0)

Anonymous Coward | more than 7 years ago | (#17388282)

.. SecurStar's DriveCrypt Plus Pack, which is a little surprising. However, as an ex-customer who had to deal with their heinous software licensing/activation/deactivation system I can't say I'm dissapointed.

And the top-rated open source solutions are: (0)

Anonymous Coward | more than 7 years ago | (#17388300)

Transparent on-the-fly full disk encryption:

For Windows: http://www.freeotfe.org/ [freeotfe.org] (based on LUKS)

For Linux: http://luks.endorphin.org/ [endorphin.org] (LUKS, supported by all major Linux distributions, for any size Linux server/computer/device)

* Cross-platform and well-behaving on-disk standard.

* Free as in both beer and freedom. open sourced.

What more can a government ask for?

I had to do this (0)

Anonymous Coward | more than 7 years ago | (#17388308)

I work through the Department of Energy, and we've all had to encrypt our laptops using Pointsec. My computer has essentially been rendered useless because of it. Not only does everything that requires disk operations take forever because of the encryption, slowing it down noticeably, but it has also made hibernate impossible. I used to be able to open my laptop and wait 30 seconds to be up and running. Now I have to wait over 7 minutes and log in twice before I can even open a browser. It completely ruined the point of a laptop. To add insult to injury, the only thing I ever did on it was use the web and VPN in and use remote desktop to my office machine. I don't store sensitive information on the machine itself.

My hope is that when the higher-ups have this done to their laptops and see how horrible it is they will relax the policy somewhat.

What about Linux laptops? (1)

DoofusOfDeath (636671) | more than 7 years ago | (#17388352)

I hear that lots of Navy developers use Linux laptops. I wonder if/how this will apply to them.

Re:What about Linux laptops? (1)

DoofusOfDeath (636671) | more than 7 years ago | (#17388386)

I wonder what they'll do when the answer to encryption on Linux laptops is *free* ? There's no vendor to apply for it. Hopefully whoever is managing this effort won't be so stupid as to only consider techniques that cost money.

Sticky Notes with Passwords (1)

Esion Modnar (632431) | more than 7 years ago | (#17388372)

So, when the laptops get lost, the password to the FDE will be conveniently found on a Post-It note stuck to the side of the screen.

Full Disk Encryption -OR- File Encryption (0)

Anonymous Coward | more than 7 years ago | (#17388384)

From TFA: "Provides Full Disk Encryption (FDE) or File Encryption System (FES)". Please read the actual requirements before writing your summary...

no news (1)

dochin (1044440) | more than 7 years ago | (#17388402)

This post is misleading. The FedBizOps notice is for the Air Force ESC, not the federal government. I don't even think it's related to the Presidential mandate. Most agencies implemented this when it was required (in August). Can anybody verify that the info on this FDE site is legit?

my experience with this (1)

Phylarr (981216) | more than 7 years ago | (#17388418)

At the company where I work, they just did a similar full-disk encryption mandate. Some highlights follow: 1) It doesn't work with Mac, Linux, or anything other than Windows 1a) For now, that means any dual-boot computer is exempt 1b) Later, that might mean and dual-boot computer is re-formatted 1c) A whole lot of computers became dual-boot after the encryption announcement was made 2) Because Windows is encrypted, if any single file becomes corrupt, you are completely screwed 2a) The data cannot be recovered by putting a working HD with a hosed Windows install in another computer, nor by re-installing Windows 2b) Daily backups are more important now 2c) Nobody does daily backups 2d) Most people who do backups do them by copying their files to an external (unencrypted) USB HD. 2e) Those external, portable, USB HDs are easier to steal than any laptop or desktop computer. 3) There has been a huge expense to implement this, a minor slow-down in performance due to it, an increased chance of data loss due to computer problems, and no real increase in the security of any of the data.

This is my job... (3, Interesting)

BenEnglishAtHome (449670) | more than 7 years ago | (#17388438)

...at the moment. I'm hip-deep in user handholding and re-imaging crashed machines. Here are a few random points, dashed off quickly. If anyone has any questions, feel free to post.

The June 23 White House memo had a 45-day deadline. Everyone has already blown the deadline.

Big props to WinMagic for their marketing. They've been all over the government computer press for the last 1-2 years with press releases and random mentions that make it appear they are the only workable solution. As a result, the agencies that jumped on the bandwagon in time to meet a (seemingly common) end of year deadline have grabbed their SecureDoc software and started installing. My experience with it has been semi-OK. Given that the software is touching every single file on every machine that leaves our physical space, the number of screwups has been acceptable at less than 2%. Our most widespread problems have mostly been a result of insufficient server capacity to deal with all the machines being encrypted at the same time within the last couple of weeks. Whether that was a result of us going cheap on the server side or WinMagic promising that the servers could handle a bigger load than is actually the case, I don't know. I suspect it's a bit of both. Still, things are slowly working out, even if our frontline support staff is going to wind up losing, literally, a month of productivity to the project.

A bunch of the requirements on that DOD checksheet are being ignored by civilian agencies. With no PKI infrastructure in lots of places, plenty of things have to be done "hands on" and the ability to do things like silent installs is out the window.

A bunch of the names on that vendor list are just resellers and of little interest to the slashdot crowd. What's more interesting is the list of products that do the job. THAT list is much, much shorter.

I haven't heard of anyone doing their encryption in hardware, which irritates me. I use hardware-encrypted drives at home and I was looking forward to doing the same thing at work. There is a widespread rumor in my agency that 2 or 3 generations of computer refreshment down the road, we'll transition to encryption in hardware. I hope so.

We've been doing this for 5+ years now (5, Informative)

Terje Mathisen (128806) | more than 7 years ago | (#17388450)

I work for a multinational corporation with more than 10 K laptops, we decided to use full disk encryption more than 5 years ago.

At that time we found just 5 vendors who were qualified to deliver (after an initial pre-qualification round), and we invited them all to a specially setup testing lab: Of these 5 vendors, 3 were selling pure snake oil (encrypt the partition table and/or root directory only), it took less than 5 minutes to break into each of these.

Nr 4 seemed a lot better, but after 20 minutes work I found the crucial 'compare password, JE decrypt' sequence in the driver, and we were in. :-(

Only the final entry (from a german company) had understood how you design a product like this:

First you encrypt, using your preferred symmetric key algorithm (AES-256 these days?), all sectors on the disk. You use some form of hash of the logical sector number as a salt when encrypting, this makes each block unique, even those that contain the same 'FDFDFDFD' freshly formatted pattern. The key you use for this is the master disk key, it is a random number generated during installation.

Next you make a small table, with room for at least two entries: User and admin.

The user entry can be modified as often as you like (we default to slightly less than once/month), while the admin key/password is constant, but unique to this particular PC.

Each password (user/admin) is used as the key when encrypting the master key, which means that there is no way, even for the crypto architect, to recover the master key without knowing at least one of these passwords. (The passwords are never stored anywhere on the disk of course!)

The admin key/password is saved both as a printout and on disk on a secure system (without any form of network connection), so that you can use it each time a user manages to forget his/her user disk password.

There are lots of nice to have features as well, one of the more important is the ability to use a challenge/response setup to safely regenerate a user password remotely, without ever having to transmit the relevant admin key. This does require some kind of side channel to verify the identity of the user who owns the particular laptop: We use a combination of RSA's SecureID cards and the user's cell phone for this (each user has such a card to be able to use the corporate VPN connection which requires strong authentication).

Terje
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...