[Discuss] Server/laptop full-disk encryption

[bill at horne.net (Bill Horne)]

On 10/1/2014 9:32 AM, Edward Ned Harvey (blu) wrote:
>> From: Bill Bogstad [mailto:bogstad at pobox.com]
>>
>> It seems like whenever  people start talking about computer security, there is a
>> tendency to shoot for the maximum theoretically possible.  We don't do
>> that when it comes to our cars or homes, but it does with computers.

Computers comprise one class of devices which need security based on the 
worst possible outcome of theft or misappropriation; like nuclear 
weapons and barrels of hazardous waste, it is what *MIGHT* happen that 
counts.  By themselves, such things are wicked reminders of the age we 
live in, but otherwise unremarkable: when taken out of responsible 
hands, they become more important than their components.

The maximum theoretical threat is also the maximum practical one for 
such things: a computer user who is concerned that his emails to his 
mother might become public knowledge will choose a more robust security 
model than someone who is trying to protect the cheat codes for Doom.

> [snip]
>
> However, the place where I disagree with Truecrypt is here:  When I deploy bitlocker, I am not deploying a system intended to thwart the NSA.  I am deploying a system intended to thwart laptop thieves from retrieving the company financial data, credit card database, product design files, etc. which are valuable on the black market.  I have actually worked at a chip company before, where we discovered our own product was pirated and sold on the black market.  One of our sales reps went to a meeting in Taiwan, and in that meeting they asked us, "Why should we buy your product when we could get the same thing from these other guys?"  And they proceeded to show us our own slides with some other company's logo on them.
>
> To protect against this type of attack, no we do not need 256 bit, or even 128 bit.  To protect against this type of attack, the mere existence of a password prompt is probably sufficient - even if your password is "baby" but probably not if your password is "password."

To protect against *WHICH* kind of attack? Any company with proprietary 
data to protect *MUST* deal with the Defender's Dilemma and prepare for 
all realistic attacks, and any soldier will tell you that it does no 
good to put razor wire and mines around 99% of the perimeter if you 
don't have trustworthy and well-monitored employees walking in through 
the gate. Sad to say, the odds are that those slides leaked out through 
human hands, not mechanical failures.

> It's nice to eliminate the hassle of entering two passwords every time.  I'm strongly in favor of using the TPM for everyday security, even if the NSA might have backdoored them all.  You want something to thwart the NSA?  You need plausible deniability.
>

No amount of denial will be plausible when an employee gets a subpoena 
from the FISA court: they will deliver corporate secrets to the NSA with 
gift wrapping and a bow. Corporate stakeholders might want to be able to 
deny something in court, but very few threats come with legal 
memorandums attached, and it doesn't matter if a denial is "plausible" 
when $5 wrenches are in evidence: the wrenches will be used, for the 
same reason that Orwell shot the elephant: the decision to use them was 
made when someone picked them up and brought them.

Technical professionals such as we tend to think in terms of technical 
threats and technical solutions to them. Security professionals tend to 
the think in terms of which attack vector has the best chance of 
success, but they must be willing to think of *ALL* possible attacks, 
not just those which have been tried in the past. It does no good to 
prohibit buses from running under the Pentagon, when a fully armed, 
loaded, and deliverable field-coverage weapon can be had for the price 
of an airline ticket and a free trip to heaven.  It does no good to 
protect the data in a laptop if it is also available to a junior clerk 
whose rent is past-due.

FWIW. YMMV.

Bill

-- 
E. William Horne
William Warren Consulting
339-364-8487