It's like saying "I forced an FDE solution through the company budget because if a drive gets stolen, it'll cause significantly more important the information get preserved than purchasing those new corporate desks/that copy machine/etc." It's just not up to us.
Caring about NSA access is a business decision, not a technology. If the stakeholders are passionate about the issue, then you failed them even before the user blew up their machine.
I guarantee you that no matter what FDE solution you put in to your environment, the ability to recover the data when a user blows up their machine will be significantly more important than whether or not the NSA can gain access to that data. It doesn't change the fact that, as people, we should be looking into the potential implications of widespread data collection and maintaining a dialog about the issue.
TRUECRYPT ED PROFESSIONAL
In organizations where it's relevant, technology needs to meet business needs, so using such solutions would be a breach of professional responsibility. In the cases where it's irrelevant, you have a responsibility to choose the solution that works best with the technical aspects of your environment. The stakeholders themselves might value this issue highly enough to not choose potentially compromised systems. That includes stakeholders and company vision (if relevant). "We need to look critically at NSA goals, methods and the potential abuse of information" doesn't equate to "you need to do impractical things at your job".Īs professionals, we have a responsibility to protect the interests of the business. This isn't really relevant to my comment at all. However, for the vast majority of people that read /r/sysadmin, they need practical solutions that work for their environments and is easy to manage. It would be impossible to manually parse the amount of data the NSA purportedly collects.Īgain, if it's only useful to the NSA if you've committed a crime, why don't they just want it for criminals? Anything an entity acquires would be parsed automatically, rather than manually by a human. They're likely an extremely useful (either now or in the future) datapoint, crime or no.
TRUECRYPT ED SERIAL
However, what if the author temporarily caches the key somewhere on a file on the disk? Or accidentally left some debug mechanism on and sends the key out over some serial interface indirectly that someone finds? Or uses a really weak algorithm to save key on the system?įor the sake of practicality here, however, the data stored on your removable media devices and your portable devices is mostly worthless unless you're committing some form of crime. This affects pretty much all FDE solutions equally. Of course, we discovered it was possible in extremely the right scenario to recover FDE encryption keys from RAM. And it's not just in what 'protectors' (bitlocker term) are provided for you, but in how the application itself handles the key. You could have the most advanced, super awesome algorithm in the world but if you store the key in plain text you're screwed. Cryptographic modules are hard to get right. However, I am saying that there are many more pieces to the crypto puzzle than just by whom the solution is developed. Understand I'm not saying that "closed source" solutions are inherently better by design.
Note, before I get blasted for my last comment. Just use bitlocker, for Christ's sake, and don't use cheap ass 3rd rate solutions that the only reason people say to use it is because "OMG IT'S NOT MADE BY A BIG COMPANY!", because if that's the metric by which you measure your crypto solutions, it's 100% wrong. McAfee Removable Media Protection (ePO Managed)Īs I've stated, I make extensive use of crypto.McAfee Drive Encryption, FIPS, AES-256 (ePO Managed).(Remember that part where I told you the NSA doesn't give two shits about you?) I've stored the recovery keys on my Microsoft Account. Bitlocker VHD on removable USB thumb driveĮverything requires an "enhanced PIN", encrypted with AES256.I'm a pretty heavy user of encryption both personally and professionally. I've got everything I own removable bitlockered. The NSA doesn't give two shits about who you are, seriously.
0 kommentar(er)
