>Jeffrey, I seem to be missing your point. Are you suggesting that if I >call up pretending to be a reporter, a company would give me the keys >necessary to decrypt their data? If not, then what information do you mean? > >Knowing what encryption technique was used is a start toward decrypting >the data, but as you say it can still take a long time.
Bruce - Not the keys, just the method - the tools used to create the tape. Part of Hal's original argument was that it would be difficult to get data even from an unencrypted tape without knowing how the tape was created. That in a sense, it was "encrypted" and the key was the set of tools used to create it. Then also, he mentioned that knowledge of the file layout might also be necessary to gain any useful information from the data. Its an opinion I've argued myself with others here in my shop. Best example, my BCP tapes, which would require intimate knowledge of my disk hardware and two pieces of software in order to recover the data. Just dumping the raw data from the tape results in complete nonsense. Someone would have to go through the recovery process to get readable data. In a sense, then, knowledge of that process constitutes the key to data which is otherwise unintelligible, or 'encrypted'. (Not to mention the not so trivial task of obtaining access to the hardware and software necessary to exercise that recovery process.) Yes, claiming the simple fake reporter method would yield all the necessary information is a bit of a stretch, but the point is the information is obtainable. There are numerous people outside of my organization that are aware of the tools I use to create my BCP backups. Heck, I think that info is in this listserv's archive! So I don't get to consider it encrypted. Back to my understanding of the measure of the strength of an encryption solution - the time it would take someone to get to the original data if they really wanted to. Yes, its complicated, and yes its expensive, but someone could, if they wanted to and had the resources, still get to that data in a fairly short amount of time. So I have to actually encrypt it in order to ensure that the data can not be compromised. As I see it, its not the auditors demanding that data be encrypted in order to ensure data security, its the customers. I know an individual who had their personal information stolen and used in a malicious manner. Granted, it was not from a lost backup tape, but it certainly was not pretty. And so, I can understand the current wave of notification legislation. People want to know that the companies they deal with are doing everything possible to ensure it does not happen to them. And so, I'm happy to do my part by encrypting the sensitive data I'm responsible for - even that data which is already really hard to get to. Jeffrey Deaver, Senior Analyst, Systems Engineering 651-665-4231 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
