×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TSA to Contractors - Encrypt Your Laptops

Zonk posted more than 6 years ago | from the probably-a-good-idea dept.

Security 132

eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

132 comments

TSA makes /. encrypt stories too? (0)

Anonymous Coward | more than 6 years ago | (#21013145)

Nothing for you to see here. Please move along.

Overheard conversation (5, Funny)

postbigbang (761081) | more than 6 years ago | (#21013191)

"No, not the keys to the truck and trailer, I need the damn keys to the laptop!"

Not enough (0)

Anonymous Coward | more than 6 years ago | (#21013865)

Encryption is not perfect. It can be broken.

How about this: don't drive around with laptops full of sensitive data.

I don't care if downloading the data to a laptop is cheaper; it puts me at risk! If you are going to be handling my data, then I demand that you take better care of it.

Not that my demands mean anything at all. This is one of the many reasons I haven't set foot in an airport since 9/11.

Re:Not enough (1)

postbigbang (761081) | more than 6 years ago | (#21014285)

We agree that the keys to encryption need to be well managed, and penalities for any kind of data loss need to be incredibly severe.

Not flying or going to an airport since 9/11 (presuming *because* of 9/11's aftermath) as a result of your demands, would appear to border on paranoia in the extreme, however. Someone has your IP address for the message you posted, and has already traced you back. It's in your service provider's info sent to the NSA. You didn't have an https connection, so everyone saw what you wrote here today. Feel better? In a wonderful world, security wouldn't be a problem. That doesn't excuse bad data handling, rather it says that it's really loose and stupid not to have required encryption up until now.

Now if I can just find those keys....there might be a protocol, like packets over pigeons, for truckers. I wonder.....Peterbuilt AES??

Re:Not enough (0)

Anonymous Coward | more than 6 years ago | (#21014905)

Someone has your IP address for the message you posted, and has already traced you back.
Please. Every GeoIP service I've checked has missed me by nearly ten miles. What's worse, one put me right in the middle of a baseball stadium.

Re:Not enough (1)

postbigbang (761081) | more than 6 years ago | (#21015183)

Triangulation errors don't matter with nuclear weapons.

And if the accuracy is that bad, it means you're in a desolate area, so reversion to a google map ought to do the job, unless you're in a cave. And if you're in the niddle of a baseball stadium, that narrows it down a lot! Mine currently is placed either in NJ, or in a western burb of Chicago, both very far away from my actual locus.

Nukes wouldn't even do it. But maybe some cool X-files laser-from-the-sky might figure out my latencies and zap me on the spot. No matter.

That the TSA didn't mandate encryption is a travesty. After all, Security is their middle name.

Re:Not enough (1)

hedwards (940851) | more than 6 years ago | (#21015413)

Encryption is not perfect. It can be broken.
Sigh, you clearly don't get it. Encryption isn't to keep it from being broken. Encryption is to delay access for as long as possible. Any encryption scheme can be brute force cracked if one has the time to do so. A desirable scheme should require the correct key, and make brute forcing the key take centuries. And that is assuming the algorithms are sound and that the passphrase or key is strong enough to do the trick.

Encryption really shouldn't be thought of as a way of keeping anybody from reading it, it should be though of something that delays finding the embarrassing information encrypted until 200 years after you're dead.

And to that point, CC numbers aren't very useful if the card has already expired, a SSN isn't particularly helpful if the person who was issued it would be 130 years old. Basically its just a tactic to make it as inconvenient as possible for an unauthorized party to use the data.

Re:Not enough (1)

ehrichweiss (706417) | more than 6 years ago | (#21015955)

You forgot that if the laptop was stolen from a trucker then the thief isn't likely to want to spend the same amount of time on a trucker's encrypted laptop, that may only contain nudie pics the trucker is trying to hide from his wife, as they would one stolen from the FBI where they'd almost be certain of getting something fun to view.

Re:Not enough (2, Funny)

moderatorrater (1095745) | more than 6 years ago | (#21015967)

This is one of the many reasons I haven't set foot in an airport since 9/11.
Let me guess, another is that your hat sets off the metal detector?

Many have been told to backup... (2, Insightful)

psychicsword (1036852) | more than 6 years ago | (#21013203)

Though many never do, will this be the same?
I think that even if you force the security measures in place people will always find a way around it. People write their passwords on a Post-in note or tape it to their monitor. These security measures are good but definitely not perfect.

Windows (0, Offtopic)

WED Fan (911325) | more than 6 years ago | (#21013365)

Can we have someone post something to the effect "that if MS weren't so evil, they'd encrypt the drive already and we wouldn't have this problem"?

For gods' sake, people, this is /., if you don't post about how this is MS evil doing, entropy will set in.

Re:Windows (1)

sumdumass (711423) | more than 6 years ago | (#21013737)

If MS preencrypted the drive, the default pass word would probably be something like MSr0cKs01 or something and it would never be changed and most likely useless.

There, is that good enough for you? I know it sort of slams the users too but what the hell, it is a slow news day.

Windoze indeed! More Welfare for M$ on the Way. (0)

Anonymous Coward | more than 6 years ago | (#21014293)

I think that even if you force the security measures in place people will always find a way around it.


So the requirements will be used to force contractors to buy Vista and use bitlocker. Sure, there are better solutions available using free software and the government has spent all sorts of money on Bastile Linux for just this purpose, but that won't keep Steve Balmer in coke. M$ is having a hard time after the outright rejection by the FAA [slashdot.org] and DOT [slashdot.org], the Fortune 500, higher education, their Wintel press buddies and anyone with a memory. They have to work on less established, less competent and much easier to manipulate and bribe agencies like the TSA, local school districts and so on and so forth.


It's always sad (2, Insightful)

techpawn (969834) | more than 6 years ago | (#21013213)

That these kind of measures are retroactive instead of proactive.

Re:It's always sad (3, Interesting)

Volante3192 (953645) | more than 6 years ago | (#21013293)

"Reactive"

It's more likely it was pitched, but either for cost or time, management probably shot it down. Never mind there've been high profile laptops missing all over, like the VA one. Being naive, I would wager that the IT department would like to lock down the systems as tight as possible (I know I would) but are being thwarted by management becaue it'd make things too hard, too different, or cost too much.

It's always after the sole data server blows up that they decide "oh, guess that backup option would've been worthwhile." (Had this happen too. Financial data, customer data, and no paper trail. But the tape drive cost 'too much'.)

Re:It's always sad (3, Insightful)

mlts (1038732) | more than 6 years ago | (#21014743)

I keep wondering, if the data is that sensitive, IT departments should have it physically never leave the data center. Instead, offer different means of access via secure means, such as Remote Desktop, ssh, a secure webapp available after connecting to a VPN, or some other means of accessing the data and gathering reports from remote. Keep the data available, but have it physically reside in the (relatively) secure environment of the data center.

If someone needs offline access (for example in a remote location with no Internet access), that is a different story, but in a number of laptop theft cases, there is no real reason the info is physically sitting on the laptop.

Of course, this won't prevent an employee from doing an export of all the tables to their laptop, but having the sensitive data behind a username, password, and a SecurID token means that the losses due to a stolen laptop will be minimal. Add a decent FDE program (BitLocker is decent because it doesn't get in the way of users, provided they can access their user), and a laptop loss can be written off as "just" hardware.

A number of Dell laptops and desktops have the ability to have CompuTrace installed in the BIOS. This is another good tool to help find stolen goods.

By using the tools out there, from WDE, to having data physically residing on a different location (although there are cases where this isn't possible), to CompuTrace, damage done from a stolen laptop can be greatly mitigated.

Re:It's always sad (1)

Volante3192 (953645) | more than 6 years ago | (#21015549)

&%*%*& coworker pulled the network cable for the room while i was submitting a comment to this. apparently it got poofed. Anyway...

There's the conflict between management and IT again. IT wants secure, management wants easy and convenient, and management nearly always wins out.

I deal with a similar situation in that, as an outsourced tech, I pretty much can pitch whatever, but it's up to the customer to decide if they want to impliment policy. Usually I'm overruled. "Stuff has worked fine for now, why change it?" I've had to dole out local AND domain admin rights on Windows server domains simply because it was easier for them.

Unfortunatly, it usually takes incidents like this, where the proverbial cobra finally bites the proverbial ass after said ass has been dangling over said cobra for a while. THEN they start implimenting policies that say "Do not place ass within biting range of cobra."

Re:It's always sad (2, Informative)

Sancho (17056) | more than 6 years ago | (#21015657)

Many companies have policies that state that machines must be password protected--BitLocker, OS X, etc. handle encryption seamlessly if this is the case. There is no convenience reason not to use it on company laptops if they're managing sensitive data.

You can't believe how sad... (3, Insightful)

WED Fan (911325) | more than 6 years ago | (#21013307)

That these kind of measures are retroactive instead of proactive.

Yeah, I installed TruCrypt today so I could encrypt my drive yesterday.

Uh, dude, I think you mean "reactive".

Re:You can't believe how sad... (1)

techpawn (969834) | more than 6 years ago | (#21013391)

descriptive of any event or stimulus or process that has an effect on the effects of events or stimuli or process that occurred previously
Having people start to encrypt because of stolen laptops is a retroactive solution to the problem of the wild data

Re:You can't believe how sad... (0)

Anonymous Coward | more than 6 years ago | (#21013613)

Having people start to encrypt because of stolen laptops is a retroactive solution to the problem of the wild data

Except that this won't magically encrypt the data that was stolen, therefore it has no effect on the "effects of events" that occurred previously.

Re:You can't believe how sad... (0)

Anonymous Coward | more than 6 years ago | (#21013653)

But it did change policy for all other laptops

Even More Sad (1)

WED Fan (911325) | more than 6 years ago | (#21013851)

Having people start to encrypt because of stolen laptops is a retroactive solution to the problem of the wild data

Wrong, Sparky. "REACTIVE" is the word. But, thank you for playing. Johnny will tell you what your consolation prize is...Tell him what he won, Johnny!

Johnny: A dictionary...Now, look that up in your Funk and Wagnel.

The norm for govt. (2, Informative)

Nick Driver (238034) | more than 6 years ago | (#21013433)

As someone who works for a govt contractor (state & local govt, not federal), ironically in the security field lately, I've noticed that retroactive measures for security lapses are generally the norm, and not the exception. The govt organizations themselves are too cheap to do security right in the first place, and many contractors are too greedy to include proper security measures in their govt projects since those will cut into their profits. Fortunately, my employer has a clue and we don't suffer from such moronism, but we sure see a lot of it when we have to come in and finish or repair a system implementation that a prior contractor botched up.

Mod Parent Informative (1)

mpapet (761907) | more than 6 years ago | (#21013681)

Generally, a very informative post that generally conforms with my experience.

the govt organizations themselves are too cheap to do security right in the first place,
Most of the orgs comply on paper, but operationally its pretty bad.

and many contractors are too greedy to include proper security measures in their govt projects since those will cut into their profits.

The blame goes both ways. I've been in situations where good security was seen as not necessary by the agency. There is also the nasty problem of politics winning the bid instead of specs/price/service. And yes, the contractors cut corners.

Re:The norm for govt. (1)

Lord_Frederick (642312) | more than 6 years ago | (#21014403)

I work for a federal agency and I see a lot of "stepping over dollars to pick up dimes" when it comes to security. We have CAC authentication and there is now talk of all hard drives being encrypted, while everyone carries around a flash drive full of contractor information and a pst file. It feels like we are going through the motions just so a director can have a nice bulleted list of how secure we are. There is plenty of talk about security with government agencies, but very few properly implement even basic security practices.

Re:It's always sad (1)

shawn(at)fsu (447153) | more than 6 years ago | (#21013461)

You could look at this a few different ways. First you could say that this is partially active and not totally reactive. Laptops were lost or stolen with large quantities of data, it's not sure if that data was used for nefarious purposes right at least it hasn't been disclosed publicly. So you could say that this is a semi active response. Some one said we got darn lucky lets remove this vector.

Also think about all the ways some one can get to your data. You have to step up your protection to all of these threats all the bad people have to do is find the weakest link. Now I'll be the first to say that a good DAR policy should have been an obvious precaution but thats neither here nor there. At least they are taking steps make this not the weakest link.

Re:It's always sad (4, Funny)

Chris Mattern (191822) | more than 6 years ago | (#21014187)

If they could actually take retroactive measures, they'd be much happier. "Johnson, I need to secure that data so that it didn't get stolen three days ago!"

Chris Mattern

Encrypting Personal Information (2, Funny)

Dragonslicer (991472) | more than 6 years ago | (#21013235)

After two laptops were lost containing the personal data... we mandated that contractors need to encrypt any and all data
Is there anything to say besides "Duh"?

Re:Encrypting Personal Information (2, Insightful)

beavis88 (25983) | more than 6 years ago | (#21013443)

Is there anything to say besides "Duh"?

Yeah - "Don't write your encryption passphrase on a sticky note and attach it to your laptop"

Because you just know that'll be the next TSA directive.

Re:Encrypting Personal Information (1)

afidel (530433) | more than 6 years ago | (#21013685)

This may be the most insightful thing ever posted to Slashdot in its ten year history.

Re:Encrypting Personal Information (1)

Stray7Xi (698337) | more than 6 years ago | (#21015545)

Of course it already is policy, every IT dept says not to write down passwords but it still happens. The real problem is a lack of security auditing. A flawless policy is useless if its not enforced. Someone needs to go verify that there aren't sticky notes with passwords on the computer, that the drive is encrypted.

Of course "inspectors" are usually associated with bureacracy and corruption. However TSA is already built around useless bureacracy not effectiveness, so how can it hurt.

Re:Encrypting Personal Information (1)

flyingfsck (986395) | more than 6 years ago | (#21014019)

Hmm, after the first one was lost, the data was set free already, so now after the second one was lost, the crooks have a backup too. Good luck with encrypting lost data.

Not Enough (5, Interesting)

s31523 (926314) | more than 6 years ago | (#21013245)

OK, so I have my Open Office document with goodies of HAZMAT data in it. I deploy my favorite encryption program [smalleranimals.com] and encrypt the document. Then I delete the original document. Same problem exists. Encryption is not enough.

Either the data needs to be "shredded" [fileshredder.org] or stored in it's natural form on a fully encrypted volume.

Re:Not Enough (1, Informative)

Anonymous Coward | more than 6 years ago | (#21013593)

An idea might be to put a VMWare Virtual Machine inside a TrueCrypt [truecrypt.org] volume.
This way your entire OS will be encrypted.

Re:Not Enough (1)

apparently (756613) | more than 6 years ago | (#21013807)

That one's been on my To Do list; I'm curious to see what the performance hit is.

Re:Not Enough (0)

Anonymous Coward | more than 6 years ago | (#21014329)

Currently a VM'ed MINIX takes roughly 3 hours to boot on a Linux Machine running 2x quad core Xeon (2.2Ghz) with 4GB memory.

(joke btw)

Re:Not Enough (1)

mlts (1038732) | more than 6 years ago | (#21014817)

I'm running the VM I use for Web browsing in a TrueCrypt container (less for security than ease of backups), using VirtualPC, and I also have a Linux VM running under VMWare that is also residing on a TrueCrypt volume.

Performance on either is a little slower, but if the VM has enough RAM, its not too bad.

I'd give it a try, you probably won't notice the performance difference for most applications, especially Web browsing.

Encrypt the drive (1)

Skapare (16644) | more than 6 years ago | (#21013701)

Encrypt the drive ... except for a partition or flash module with enough of the OS to get started and prompt for the drive key password.

Re:Not Enough (3, Informative)

ic3scrap3r (641359) | more than 6 years ago | (#21014313)

Full Disk Encryption. That is the only answer. Otherwise you are relying on the user to make security decisions and they don't understand security.

Full Disk Encryption is just that. It encrypts the entire thing and requires pre-boot authentication. Even the OS is encrypted.

Re:Not Enough (1)

SpzToid (869795) | more than 6 years ago | (#21014837)

Full Disk Encryption. That is the only answer.

True, and so easy there's no excuse. Debian 4, and from my understanding Ubuntu 7.10 Gutsy due tomorrow, both offer full-disk encryption upon initial installation. It is so easy, why not? Also, because it is so easy and low-cost, I don't understand why enterprise and government don't immediately start a review of laptop OS' and their required client functionality, because of this built-in feature that is a royal pain on Windows.

Contractors (1)

EveryNickIsTaken (1054794) | more than 6 years ago | (#21013265)

For what it's worth, it's Lockheed.

Re:Contractors (1, Informative)

Anonymous Coward | more than 6 years ago | (#21016053)

This would surprise me, as I know at least in my division of Lockheed all laptops have mandatory full disk encryption. Posted as anonymous for obvious reasons.

this should read (2, Interesting)

ILongForDarkness (1134931) | more than 6 years ago | (#21013279)

We don't want people knowing how much crap happens at a typical bridge, or airport. So only autherized personal should have access to the data. Hmm, my ignorance is comforting as I type this.

Don't forget! (2, Funny)

suv4x4 (956391) | more than 6 years ago | (#21013453)

Always put the password somewhere near your laptops in case you forget it. Security is aight, but there's nothing worse than forgetting your password!

Re:Don't forget! (0)

Anonymous Coward | more than 6 years ago | (#21014227)

YA!!!11!!one! liek puting it on a stikee note on da screenz. secyooritee ftw!@1!!

And it seems... (1)

Creepy Crawler (680178) | more than 6 years ago | (#21013477)

Due to the problem with most computers NOT being able to offer full HD encryption, to use a X86 emulator (like VirtualBox) with an encrypted directory via TruCrypt.

That problem is it does NOT provide good stego. I've went over that before, but there's a way to prove by contradiction that there is a likely chance of hidden partitions in data.

Re:And it seems... (2, Interesting)

jojo1835 (470854) | more than 6 years ago | (#21013645)

What they should be looking at is VMware's ACE product. Built in encryption, security policies, and the ability to expire a VM after a certain amount of time. Add to that the ability to lock out USB devices and un trusted networks, and you have a pretty cool product.

I'm not as concerned about the laptops being lost as I am about contractors keeping the data on their laptops as long as they like.

Tim

Re:And it seems... (1)

Creepy Crawler (680178) | more than 6 years ago | (#21013757)

---What they should be looking at is VMware's ACE product. Built in encryption, security policies, and the ability to expire a VM after a certain amount of time. Add to that the ability to lock out USB devices and un trusted networks, and you have a pretty cool product.

And I dont see an easy to maintain that kind of security with exception of TPMs. They support remote network control as you describe.

If I was attacking that kind of setup, I'd extract the HD partitions to my emulator (yes, a real ICE) and proceed to crack the passwords. Once I have the passwords, I'd go towards the VM, while rolling back times to last known access (by checking T/D stamps on windows system files).

Re:And it seems... (0)

Anonymous Coward | more than 6 years ago | (#21013953)

If I was attacking that kind of setup, I'd extract the HD partitions to my emulator (yes, a real ICE) and proceed to crack the passwords. Once I have the passwords, I'd go towards the VM, while rolling back times to last known access (by checking T/D stamps on windows system files).

You really need to put that into non-gibberish english. Cracking the passwords of the host OS is the easiest part -- you get zero points for that one. How are you going to attack the VM? Does VM expiration just use the system clock?

Re:And it seems... (2, Interesting)

Creepy Crawler (680178) | more than 6 years ago | (#21014595)

Im assuming high hostility against a federal machine. So, no, the host password will NOT be easily extracted. You know.. SysKey, encrypted ~/windows directory, encrypted user directories... Not fun. To combat that, you use an ICE. In Circuit Emulator.

Next the VM... Yes, you could roll back the clock, but how would one prevent that simple of an "attack"? Record via signed encrypted file when the last time/date access was. Ok.. so now we can just 'freeze' the VM so restart starts with those very files at that exact time.

The question is "How can we verify accurate and precise time in a VM?" The answer here is that the VM needs to have a secret that is shared with a trusted server, however one must also have trusted access to the CPU to verify that no tampering takes place during the critical connection. To combat replay attacks, the VM client could send a very fine granularity time (say HH:mm:ss:SSS) and request a response using this time. Any significant deviancy from this timebase would seal off the VM.

German truckers out of luck... (0)

Anonymous Coward | more than 6 years ago | (#21013483)

Just don't take your laptop through a German airport now...

"Only a small chance"? (3, Informative)

Opportunist (166417) | more than 6 years ago | (#21013499)

Be serious here!

You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

Question for 100: Do you want to know what's on it? Let's even assume you don't know jack about computers, but do you want to know what's on the box?

Now, it's fairly trivial to get information out of a hard drive and restore deleted information (unless it's been overwritten, where it becomes less trivial). A halfway informed person with a bit of knowledge is enough, you don't need a forensic expert. All you need is the usual program(s), downloadable at leisure. And presto, instant information recovery.

The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it. That he has access to it without any hassle is a given. The only thing that matters is whether he knows a fence for information rather than just hardware.

And yes, those people exist...

Re:"Only a small chance"? (1)

s31523 (926314) | more than 6 years ago | (#21013671)

The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it.

Or the motivation... There is a good chance the thief just took his/her booty to a pawn shop and sold it. The person who ends up buying the laptop from the pawn shop will most likely pop the latest Ubuntu Boot CD in and re-format (only a geek would buy a used laptop from a pawn shop). The laptop could have contained the answer to who really killed Kennedy, but, now it is really gone!

Seriously, the TSA is having a hissy about a few laptops that got stolen, but the reality is that probably hundreds of laptops get stolen everyday, these jack-asses were just unlucky and probably not the victims of precise targeting by a terrorist. In my opinion the value of "sensitive" data becomes lost when the people that created it know it has been leaked. So if you want to steal sensitive data you want to make sure the owner doesn't know you stole it, i.e. wait for a moment to strike, boot the laptop, steal the data, then leave. No one is the wiser...

Re:"Only a small chance"? (1)

nilbud (1155087) | more than 6 years ago | (#21014109)

You're only talking about time sensitive data, 3,500 home addresses and social security numbers isn't such an easy one to change. Can you imagine how much a custom mud-flap maker would pay for that list.

Re:"Only a small chance"? (2, Informative)

mlts (1038732) | more than 6 years ago | (#21014153)

Thieves are getting smarter though. Its on the news often how the data stolen on a laptop was worth millions. Even the local "swipe and run" guy at the university prowling the library for people who briefly leave their laptops unattended are becoming aware that the data on the laptop is just as valuable if not more than the hardware itself, so they will be more likely to find a partner in crime to extract the data from it for either selling to someone else for ID theft, or just outright extortion. If a thief can't use the info, there are people who they can sell it to who can.

Even if its a personal laptop with nothing more sensitive than Facebook cookies, that is still valuable info to a thief.

I strongly urge anyone with a laptop to spend the $100 or so and buy a decent WDE (whole disk encryption) program. There are a number of good programs out there to choose from. I personally use (on different machines, of course) PGP, Jetico's BestCrypt, and MySecureDoc, and found them all to be pretty much install and forget (other than providing the passphrase at boot.) PGP and Jetico both offer eToken support for added security, so someone stealing the laptop would have to have the eToken, the laptop, and the password of the eToken to obtain any useful info.

One feature of Jetico's offering I like is the fact that you can install it on a BartPE CD, which makes recovery of a damaged, encrypted filesystem a lot easier. You do not need to decrypt the volume completely, just mount it, and do the repairs needed.

Re:"Only a small chance"? (1)

Opportunist (166417) | more than 6 years ago | (#21016169)

Wiping a laptop without first checking its contents? Are you nuts? Especially a Geek would do anything to sniff around the HD, if only to add to his blog how a company sold a laptop without properly wiping it.

Re:"Only a small chance"? (1)

squidfood (149212) | more than 6 years ago | (#21013717)

So you boot the thing up and notice that you have a government laptop in your hands.

And if it's from one of the smart gov agencies that followed policies since the SSA lost some laptops, you may or may not notice that through BIOS it's phoned home provided it's been reported stolen, and you've got full disk encryption on your hands. Have fun!

The real question is why "smart" doesn't seem to extend to TSA and their contractors. Agency I contracted for mandated that over a year ago.

Re:"Only a small chance"? (2, Insightful)

RobertB-DC (622190) | more than 6 years ago | (#21013823)

You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

You're forgetting that most smash 'n grab thieves *are* complete dimwits. They're going to take the box to the pawn shop for cash for their next hit of a controlled substance. They couldn't undelete a file to save their life.

If someone has the wherewithal to undelete files and sell the contents to the Russian Mafia, they're not going around stealing random laptops.

And if it's a targeted hit, then they're probably smart enough to guess that your password is "18wh33ler".

Re:"Only a small chance"? (1)

Chris Mattern (191822) | more than 6 years ago | (#21014253)

Yes, but the same token, the smash-n-grab junkie isn't going to reformat the drive and prep it to be fenced out to an end user, either. When it falls into the hands of somebody smart enough to do that prep work, chances are awfully good that that somebody will be smart enough to know it's worth checking what info the laptop already contains.

Chris Mattern

Re:"Only a small chance"? (1)

Opportunist (166417) | more than 6 years ago | (#21016211)

Maybe, but is his fence a dimwit? Few are, believe me that. A trader in used goods of shady sources has to be pretty smart or he won't be in business for long. And they usually smell a chance for more money if there is one.

Re:"Only a small chance"? (1)

stephanruby (542433) | more than 6 years ago | (#21016407)

You're forgetting that most smash 'n grab thieves *are* complete dimwits. They're going to take the box to the pawn shop for cash for their next hit of a controlled substance.
Agreed, but don't discount the pawn shop owners, or whomever buys the laptops from those pawn shops. You'd be surprised at how organized small crooks can become. Take for instance the Nigerian scammers, apparently there is an informal market of Nigerian scammers selling and trading leads with each other. So it doesn't matter if a scammer lives in Africa, he can try to scam you, and if you take the bait, he can resell your information to someone who specializes in the banking transaction part of the scam, and then that scammer can take it a step further and resell your information to another scammer who lives in the US and who has access to limousine he can show up in. And so on, and so on.

Another better example might be copper. These days, we have lots of thiefs destroying and stealing copper plumbing and devices with copper in them so that they can resell those parts for pennies on the dollar to the copper industry (it's a real waste). Now, those thiefs may be dimwits and meth-addicts, but apparently they don't need to know how to melt copper or to know how to recycle copper to make money on it, they just need to resell the used copper to the right person, who will then in turn sell it to the right person, and so on and so on. So coming back to our original discussion regarding laptops, whoever belongs at the top of such a food chain, it will be his job to maximize the dollar amount on each laptop stolen, and one can't automatically assume such a person is not going to have the knowledge necessary or the incentive to harvest your information on your hard drive so he can resell it somewhere on the open market.

Re:"Only a small chance"? (1)

Kjella (173770) | more than 6 years ago | (#21014623)

Thinking like a real slashdotter. Remember that jury guy in the RIAA case that hadn't used the Internet? Well, most of the drifters, hobos, junkies, pickpockets and others doing most of the petty theft often don't really strike me as anywhere near qualified or interested. They're interested in moving it for some quick cash either to a fence or online, if sophisticated enough at that. That means the only thing they care about is not having a big "STOLEN" sign all over it, and it's plausible to format it to protect your data. And even if they do have the skills, there's something to the time value of money - how often are you really going to find something that translates to hard cash? Even if you found something it probably involves breaking & entering, blackmail, fraud etc. that'll take a lot of time, effort and risk. Most just want to KISS and keep a good cash flow going.

Re:"Only a small chance"? (1)

Opportunist (166417) | more than 6 years ago | (#21016241)

Yes, but he will probably not try to sell it himself. He will take it to some shady pawn shop, where the owner may have a lot more experience how to make the most out of the crap that comes to him, what parts he can sell and for how much.

And that "parts" includes the information.

Now that got me thinking (3, Insightful)

suv4x4 (956391) | more than 6 years ago | (#21013525)

So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place

The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?

Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.

Re:Now that got me thinking (1)

faloi (738831) | more than 6 years ago | (#21013843)

The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?

Because, right or wrong, that social security number is your magic number. It sounds simple to just invalidate it and get a new one. And if it were more like a credit card, it would be that simple. You run the risk of having to update one or two automatic payments out of your account, and that's about it. To get your social swapped, a bunch of government agencies would have to co-operate. Which is a pretty big issue on its own. Credit reporting agencies would have to be notified, banks, employers...darn near everybody you've ever done business with.

On the one hand, it's nice to say "they hosed it up, they should have to eat the cost to fix it," but the total cost would be enormous. Perhaps not in this case, but consider the case where the DoD wasn't sure exactly which vet's info might've gotten out into the wild. You're talking about the government, the same people who one way or the other screwed up the first time, having to track and change info for every person that is in, or ever has been in the military. And it has to be done properly. My info may or may not have been part of the info that was compromised, and I'd rather have them reimburse me for any losses that I might suffer than jump head long into my life and mix everything up if there's no need.

Social security numbers (1)

Jaxoreth (208176) | more than 6 years ago | (#21015033)

Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.
Sounds good, but as with credit cards and bank account numbers it still ignores the unfathomable stupidity of requiring you to trust arbitrary third parties (e.g. merchants with whom you conduct business) with information that carries privileges only some of which you'd like to grant.

The social security number is a unique identifier. It should be used to refer to you, to unambiguously distinguish your identity from someone else's, not be construed as any kind of authentication token. Having power over someone because you know his name belongs in a fairy tale [wikipedia.org], not a purported security scheme.

As a Government Contractor (1, Informative)

Anonymous Coward | more than 6 years ago | (#21013555)

I have to say that everybody is all for encrypting your laptop until you realize what that means. For us we are running Pointsec [checkpoint.com] (or as some people call it, PointSuck) on every laptop in the company. It's annoying because Pointsec is a dog to install and about 1 in 10 people who do end up having it crash before it reaches the magical 1% and have to rebuild their machine from scratch. They say it doesn't affect disk performance, but it is yet another layer of overhead that makes the Core2Duo based Laptops we use now take 10 minutes to boot up (10 minutes until the disk dies down and it's usable at least, thanks to Symantic, ZoneAlarm, Patch Checker, Radia, etc...) and not feel any faster than the previous generation laptops.

It has been especially annoying for my department because we have lots of older hardware (like Sony Vaio Picturebooks that are really nice for portable testing, and Sharp Zaurus SL-C7xx series linux boxes that we really have no way of encrypting, and must plant clear instead, even though they'll never have any kind of vital information on them). Not to mention all of the people who are in to dual booting (we now use VMware a lot instead, although VMware has several issues that make it annoying, the most basic of which is the clock drift). It's also been a pain for our laptop re-imaging system (which is basically dead now)

In the end I'll be glad if my main work machine is stolen since I'm pretty sure Outlook doesn't encrypt anything and I have confidental information on it, but the cost is a lot higher than the price of one copy of Pointsec.

Re:As a Government Contractor (1)

mlts (1038732) | more than 6 years ago | (#21014547)

I personally have not used PointSec, but I have had excellent results with other encryption programs, where you install, encrypt the boot/system volume (PGP can journal the encryption so a cold power failure won't juice the data), then not worry about it other than punching your password at bootup.

Performance wise, I've not noticed any slowdown (the bottleneck is the HDD rather than the encryption layer.)

Please don't discount WDE programs in general because one of them is underperforming. I have used WDE programs for years [1] and have had very few instances of catastrophic data loss where the program caused nothing on the HDD to be recoverable. However, I do make sure to do backups often just in case.

[1]: IANAMF (I am not a Mac fanboy), but what is ironic is that Macs around 1989 were one of the first machines to have complete WDE utilities like Fileguard, A. M. E., Empower, even FWB's Hard Disk Toolkit which automatically loaded the encryption driver on any SCSI hard disk plugged in. To this day, I still have not seen anything as secure as Casady & Greene's A. M. E.

In Soviet Russia........ (1)

y86 (111726) | more than 6 years ago | (#21013595)

In Soviet Russian laptop encrypts you!

Re:In Soviet Russia........ (1)

MarkGriz (520778) | more than 6 years ago | (#21013805)

"In Soviet Russian laptop encrypts you!"

Also in Soviet Russia.... they know how to make 'In Soviet Russia' jokes.

Re:In Soviet Russia........ (1)

ChrisMP1 (1130781) | more than 6 years ago | (#21015679)

That's stupid. "In Soviet Russia" is supposed to contain some amount of wit, not just any random sentence reversed.

Easy encryption, but not with Windows (2, Informative)

RobertB-DC (622190) | more than 6 years ago | (#21013637)

The latest versions of Puppy Linux [puppylinux.org] have an easy-as-pie way to encrypt everything. Just burn a CD, boot from it, then at shutdown you're prompted to save your session. You can save to the hard drive or any other storage device, and you have the option to encrypt the data.

Boot from the CD, and it'll find and load the data you stored. Enter your password (correctly, one would hope) and go. It doesn't get much simpler than that.

Of course, you can't use your insecure Windows "helpers". But if they were *really* concerned about data security... well, I won't go *there*.

Ch-ching! (2, Informative)

bug (8519) | more than 6 years ago | (#21013665)

The TSA can issue orders like that until it is blue in the face. If it ain't in the contract, and it ain't in the Federal Acquisitions Regular (FAR), then the only way this happens is if TSA (in other words, the taxpayer) chooses to *pay* for it to happen.

Effective solutions? (3, Insightful)

WPIDalamar (122110) | more than 6 years ago | (#21013679)

Are there any real-world effective laptop encryption solutions?

Encryption requiring a simple password:
    They key space will be limited making for easy cracking.

Encryption requiring a sufficiently complex password to avoid above:
    The password will be too hard to remember so people will write it down... on a sticky note on the laptop.

Encryption requiring an external device to supply complex key:
    This will fail because many people will either attach the device to the laptop, or keep it in the same bag as the laptop.

I guess the simple password solution is the best since it would at least require a degree of technical expertise from the thief to get around.

Re:Effective solutions? (1)

krunchyfrog (786414) | more than 6 years ago | (#21013909)

I'd say use a fingerprint scanning device. I rarely saw anyone put a finger in a laptop bag, and the key has to be programmed before the laptop gets lost/stolen.

Re:Effective solutions? (2, Informative)

jandrese (485) | more than 6 years ago | (#21014039)

Most of the military is going towards the CAC Card [wikipedia.org], which is good because since it is your badge you have to take it with you when you go somewhere (you can't just leave it plugged into your workstation when you stand up to go somewhere, because eventually a guard will stop you and ask why you're not wearing your ID, and then you're in trouble).

Now they have a lot of issues with their implementation currently, but the underlying concept is a good one.

Re:Effective solutions? (1)

mlts (1038732) | more than 6 years ago | (#21014211)

The best compromise for this I've seen is a hardware token. Of course, people are likely going to keep it in the same container as the laptop, but most hardware tokens can be configured to render themselves inoperable after a number of wrong password attempts.

Now, even if someone has the token and the laptop, they have 3-15 tries to guess the password on the token, and usually that password is 8 characters or more.

Re:Effective solutions? (2, Insightful)

cadeon (977561) | more than 6 years ago | (#21015491)

Are there any real-world effective laptop encryption solutions?

Are there any real-world effective encryption solutions, period?
Encryption, overall, is a slippery slope of hate and doom. The only way (currently) to encrypt something is to use a key that's long enough to take a 'really really long time' to guess. Unfortunately, 'really really long time' shortens with growing processor power.

It wasn't all that long ago that we were using 40bit encryption for online banking. . . now that's unthinkable, we're using longer keys . . . with longer keys comes more overhead, and we're not any closer to a real solution to the encryption problem.

Expoential systems cannot exist in perpetuity. We need to come up with a new system for encryption or have fewer secrets, I'm a fan of the latter.

Re:Effective solutions? (0)

Anonymous Coward | more than 6 years ago | (#21015841)

Safeguard Easy from Utimaco

I deployed it two years ago. Full drive encryption, with pre-boot passwords enabled. Failed attempts at the pre-boot password causes an increased delay prior to the next attempt, and it just keeps increasing the delay which means that brute force attempts won't work, oh you also need to guess the ID as well as the password.

Very ugly experience for users when they forget their pre-boot passwords, but if you want real security...

Bitlocker? (1, Informative)

Anonymous Coward | more than 6 years ago | (#21016493)

Wouldn't a laptop with a TPMv1.2 chipset and Bitlocker fix this? Can't crack the password db since it's encrypted. Only two ways in: stonewall the 40 number recovery key in vitro or guess the luser's password in vivo. Both a tough nut to crack.

Theft OR loss? (1)

Ethanol-fueled (1125189) | more than 6 years ago | (#21013741)

I like how TFS says "theft OR loss". Which one is it? Are they trying to shrug off accountability or are they just idiots?

Re:Theft OR loss? (0)

Anonymous Coward | more than 6 years ago | (#21015555)

Are they trying to shrug off accountability or are they just idiots?

Yes.

Truecrypt! (4, Informative)

NitroWolf (72977) | more than 6 years ago | (#21013875)

I use Truecrypt [truecrypt.org] to encrypt a partition on a drive and store all of my documents there. It's transparent to the user, once you've mounted your volume(s) and it's pretty danged fast, too. You can do encryption with Twofish, Serpent and AES or a cascading combination of them. Pretty damned secure, opensource and free.

You can even encrypt a whole device. If you do that, it just looks like a blank volume and a thief won't even know there is data on the volume to be decrypted.

Re:Truecrypt! (1)

mordeith (1000067) | more than 6 years ago | (#21014337)

what about bootlocking or drive locking....is that gonna help with security....

Re:Truecrypt! (1)

mlts (1038732) | more than 6 years ago | (#21015001)

Boot locking, as in setting a hard disk password in the security section of BIOS?

Setting a hard disk password (all IDE and SATA hard disks made since 2001 or so have the ability to require a password before access is granted) is decent security, however how truly secure it is, is debatable. Some people have claimed there are backdoors and universal passwords, others have claimed that only a low level recovery service that has the clean room and tools to look at the actual bits stored on the platters can access the data.

Password recovery is also different. Some laptop vendors have a way to unlock a password locked hard disk, if you provide them the "challenge" serial number from the hard drive ID. Other laptop vendors will just shrug and tell you you are out of luck.

Because the ATA password locking is not definite, I use WDE. I then know that the data is encrypted, and not just protected with a system that could just be smoke and mirrors.

Re:Truecrypt! (1)

mordeith (1000067) | more than 6 years ago | (#21015783)

ahh mosta the laptops ive had to work on in the last 10 yrs or so have been bootlocked in one way or another....i appreceate your responce...i tell my clients and family to bootlock and drivelock there laptops...wit both #ers n letters...insofar ive not found an easy not destructive way of defeating it....as for backdoor passwords ive riun your typacal library brute force attacks against the usual ones...to no avail....my personal info isnt on hardisk anywhere that isnt truecrypted or somesuch.....what about biometric

Re:Truecrypt! (4, Informative)

mlts (1038732) | more than 6 years ago | (#21014367)

TrueCrypt is an excellent program, the devs have put a lot of thought into every aspect of security. I use it for encrypting external drive volumes completely so if someone does a smash and grab on my stuff, they will end up with hardware, but the data is protected by a passphrase and a keyfile stored on the (WDE encrypted, using a hardware token) boot drive.

The biggest thing to remember with TrueCrypt, if you lose the first 1024k or so of an encrypted volume, you have completely lost the volume because the first part contains the encryption key (or keys) for the rest of the data. ALWAYS back up the volume headers (they are encrypted with the same mechanism as the volume itself, so they just need to be stored safely) of all critical volumes.

Of course there will be people saying that "I don't use encryption programs, I have nothing to hide." That is analogous to saying "Don't have a front door as you might has something to hide." Its not the governments these programs are for (most governments can obtain the decryption key via other means including a rubber hose), its thieves. These days, TrueCrypt and other security programs are highly necessary to keep a $1000 laptop from becoming a loss of many thousands in ID theft.

Re:Truecrypt! (0)

Anonymous Coward | more than 6 years ago | (#21014505)

Until Microsoft actually documents, and proves, that they don't copy my encrypted files into a temporary directory, some index, the registry or whatever, I wouldn't trust TrueCrypt on Windows.

Yes, I use TrueCrypt on my XP laptop. But for all my personal stuff, I use NetBSD with cgd. With that, I know what is going on.

Encryption doesn't mean anything, if your OS suddenly decides to copy half of the file onto an unencrypted partition because of some "indexing service".

FDE works too.. (2, Informative)

rickb928 (945187) | more than 6 years ago | (#21014509)

Most Thinkpads support something like Full Disk Encryption. Password in the BIOS, and you can't boot without it. The disk is literally unusable without the password.

My gig at I%$&#, they had me write my FDE password down and give it to the nice Systems tech. That way, when I left, they could recover the disk and reissue the machine after the usual shredding and wiping.

Without it, they would have to throw out the drive and buy a new one.

And yes, you need to remember your password. This you write down and leave at home, or with the Keymaster in the office, or your boss.

Honestly, this is not that hard.

Re:FDE works too.. (1)

Creepy Crawler (680178) | more than 6 years ago | (#21014849)

Thats just an ATA password, as enclosed with the ATA spec. That means without that password, the HD motor just doesnt start up.

All you need is disk microscopy to recover data. Just send it offshore to a semi-legitimate firm for data restoration on backup DVDs. It'll cost a thousand or so.

Re:FDE works too.. (1)

rickb928 (945187) | more than 6 years ago | (#21016483)

On the Thinkpad I used, the FDE password was not just an ATA password. the drive it self was encrypted with this, and not having it meant the drive was unreadable on any system.

I may have mislead you. It isn't a BIOS password, it's a pre-boot password. No password, no boot. It just cycles through another POST and askes for the password after the retries wear out.

If it were just an ATA password, what good would that do?

Re:FDE works too.. (1)

kasperd (592156) | more than 6 years ago | (#21015595)

The disk is literally unusable without the password.
I consider that to be a design flaw. It should be possible to change the password without knowing the old one, but of course doing so would mean all data on the disk were lost. But are you really sure the disk encrypted the data? And could you verify the quality of the encryption? Maybe flashing a new firmware on the drive would have allowed you to bypass the protection.

Who should pay for the identity theft coverage? (1)

GuyverDH (232921) | more than 6 years ago | (#21016133)

"So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves
"
In my opinion, any company, corporation, organization or government entity that misplaces (through loss or theft) sensitive financial data should be responsible for paying for identity theft coverage for as long as the potentially affected individuals live. Then maybe they wouldn't be so damned quick to store all of that data or just hand it out to every contracter they hire.

Telling someone "So sorry, we lost a disk with all of your credit-card numbers, social-security number, personal history. We suggest you buy identity theft coverage right away." is total bullshit.

One of the banks that I used to do business with had 2 laptops stolen with my information on them. They told me they were going to be good enough to *give* me 1 free year of credit protection. I told them that the data on that drive wasn't ever going to *go away* and that they were going to pay for that coverage for the rest of my life. We argued and I basically said that if I ever had my identity stolen, it would come back to haunt them as they had as good as given out my data to whoever stole the laptops. Eventually I got them up to 10 years of coverage, however I let them know that that did not let them off the hook and that if anything happened after that time frame, they would be paying to take care of it one way or another.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...