On 10/1/2014 9:32 AM, Edward Ned Harvey (blu) wrote:
From: Bill Bogstad [mailto:[email protected]]
It seems like whenever people start talking about computer security, there is a
tendency to shoot for the maximum theoretically possible. We don't do
that when it comes to our cars or homes, but it does with computers.
Computers comprise one class of devices which need security based on the
worst possible outcome of theft or misappropriation; like nuclear
weapons and barrels of hazardous waste, it is what *MIGHT* happen that
counts. By themselves, such things are wicked reminders of the age we
live in, but otherwise unremarkable: when taken out of responsible
hands, they become more important than their components.
The maximum theoretical threat is also the maximum practical one for
such things: a computer user who is concerned that his emails to his
mother might become public knowledge will choose a more robust security
model than someone who is trying to protect the cheat codes for Doom.
[snip]
However, the place where I disagree with Truecrypt is here: When I deploy bitlocker, I
am not deploying a system intended to thwart the NSA. I am deploying a system intended
to thwart laptop thieves from retrieving the company financial data, credit card
database, product design files, etc. which are valuable on the black market. I have
actually worked at a chip company before, where we discovered our own product was pirated
and sold on the black market. One of our sales reps went to a meeting in Taiwan, and in
that meeting they asked us, "Why should we buy your product when we could get the
same thing from these other guys?" And they proceeded to show us our own slides
with some other company's logo on them.
To protect against this type of attack, no we do not need 256 bit, or even 128 bit. To protect
against this type of attack, the mere existence of a password prompt is probably sufficient - even
if your password is "baby" but probably not if your password is "password."
To protect against *WHICH* kind of attack? Any company with proprietary
data to protect *MUST* deal with the Defender's Dilemma and prepare for
all realistic attacks, and any soldier will tell you that it does no
good to put razor wire and mines around 99% of the perimeter if you
don't have trustworthy and well-monitored employees walking in through
the gate. Sad to say, the odds are that those slides leaked out through
human hands, not mechanical failures.
It's nice to eliminate the hassle of entering two passwords every time. I'm
strongly in favor of using the TPM for everyday security, even if the NSA might
have backdoored them all. You want something to thwart the NSA? You need
plausible deniability.
No amount of denial will be plausible when an employee gets a subpoena
from the FISA court: they will deliver corporate secrets to the NSA with
gift wrapping and a bow. Corporate stakeholders might want to be able to
deny something in court, but very few threats come with legal
memorandums attached, and it doesn't matter if a denial is "plausible"
when $5 wrenches are in evidence: the wrenches will be used, for the
same reason that Orwell shot the elephant: the decision to use them was
made when someone picked them up and brought them.
Technical professionals such as we tend to think in terms of technical
threats and technical solutions to them. Security professionals tend to
the think in terms of which attack vector has the best chance of
success, but they must be willing to think of *ALL* possible attacks,
not just those which have been tried in the past. It does no good to
prohibit buses from running under the Pentagon, when a fully armed,
loaded, and deliverable field-coverage weapon can be had for the price
of an airline ticket and a free trip to heaven. It does no good to
protect the data in a laptop if it is also available to a junior clerk
whose rent is past-due.
FWIW. YMMV.
Bill
--
E. William Horne
William Warren Consulting
339-364-8487
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
