On 11/04/2014 10:27 AM, Richard Pieri wrote:
The encrypt everything ideology is nothing more than security theater: do something that provides a warm and fuzzy feeling without addressing the real problem of poor or nonexistent physical security. If you maintain good physical security then the devices won't be lost or stolen in the first place.
I think that's a bit unfair; physical security can be just as difficult in practice as software security. I once timed AAA unlocking a car whose keys were locked inside: 11 seconds from walking up to the car to open door. Criminals have the same tools.
Not everyone can have a bank vault to put their computers in. Whole-disk-encryption is decent protection against thefts of opportunity. Thefts of opportunity (i.e. you weren't specifically targeted for theft, you were just in the wrong place at the wrong time) aren't after the data, they just want to resell the hardware. If the data is easily accessible and can be easily determined if there's additional value, all the better. But if there's significant cost to even figuring out whether the data on that laptop has value, it's usually not worth it.
It's much harder to defend against targeted thefts, because you have to assume that the thief will employ every possible trick to get the data from your laptop (and shutting down your laptop doesn't necessarily make your encryption key unrecoverable from memory:
https://freedom-to-tinker.com/blog/felten/new-research-result-cold-boot-attacks-disk-encryption/ )
Matt _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
