[Discuss] Revisiting VMWare ESX backup options
Matthew Gillen
me at mattgillen.net
Wed Nov 5 15:17:52 EST 2014
On 11/04/2014 10:27 AM, Richard Pieri wrote:
> The encrypt everything ideology is nothing more than security theater:
> do something that provides a warm and fuzzy feeling without addressing
> the real problem of poor or nonexistent physical security. If you
> maintain good physical security then the devices won't be lost or stolen
> in the first place.
I think that's a bit unfair; physical security can be just as difficult
in practice as software security. I once timed AAA unlocking a car
whose keys were locked inside: 11 seconds from walking up to the car to
open door. Criminals have the same tools.
Not everyone can have a bank vault to put their computers in.
Whole-disk-encryption is decent protection against thefts of
opportunity. Thefts of opportunity (i.e. you weren't specifically
targeted for theft, you were just in the wrong place at the wrong time)
aren't after the data, they just want to resell the hardware. If the
data is easily accessible and can be easily determined if there's
additional value, all the better. But if there's significant cost to
even figuring out whether the data on that laptop has value, it's
usually not worth it.
It's much harder to defend against targeted thefts, because you have to
assume that the thief will employ every possible trick to get the data
from your laptop (and shutting down your laptop doesn't necessarily make
your encryption key unrecoverable from memory:
https://freedom-to-tinker.com/blog/felten/new-research-result-cold-boot-attacks-disk-encryption/
)
Matt
More information about the Discuss
mailing list