Bruce Schneier recommends a good cleaning and PGP (or TrueCrypt).

More on PGP here. I also use Cache Out X for clearing internet and system caches, as well as system logs.

Sadly, the headline is somewhat amiss.

Researchers have actually figured out a way to steal data from hard disks which are encrypted in full by operating systems’ resident protection schemes. In other words, I don’t believe this method would work on file/container encryption with passphrases (which happens to be my personal preference).

After the Veterans Administration wrote the script for downplaying risk, when tens of millions of data records were stolen out of an employee’s home, the Bush Administration issued an edict - encrypt all data on government laptops.

Good idea, but nobody’s listening. Wonder what the TSA’s “100,000″ number will grow to?

I wish I could say I am shocked and bewildered that the recent data theft out of the State of Ohio was more than 15 times worse than Ted Strickland & Co. made it out to be when the physical drive (?) was stolen out of an employee’s car, but alas I cannot. I wish I had a more sarcastic way to put it too, but Carlo over at Techdirt did a pretty good job of that. Meanwhile, I’ve recently heard that sarcasm is symptomatic of passive-aggressive behaviour, and since an old girlfriend once told me I was the only man she ever dated that wasn’t “PA,” I’m going to respect her opinion and refrain from sarcasm from this day forward.

Ok, maybe not…

It’s not as though Ohio didn’t see this coming - it’s been going on in the Buckeye state for some time. Then again, does anyone in bureaucracies ever know what is actually going on? If they did, would they even care? Or are they just so attuned to stretching the truth that they just don’t know how to shut up, even in the face of stone cold evidence waiting to rear it’s ugly head?

No matter. When the “powers that be” come out with statements like this:

“He’s actually in line with our conclusions that it would be very difficult for someone without special knowledge and understanding to actually access that piece of information.”

…you know someone is speaking for someone else right before they get handed their pink slip. “Very difficult?” “Special knowledge?” The spokesperson is either completely insane or oblivious to the fact that there are third world countries full of brilliant mathemeticians, since cast into the shadows of unemployment and looking feverishly for work on internet message boards.

The same types of folks create stuff like this:
            

Add this:
               

And wind up with this:
    

And that’s for a few hundred bucks, based on some handwritten notes a moron like me scratches on the back of an envelope over three Blue Moon drafts, and faxes over to him at his office at the local community college. I use such strokes of amatuerism to create graphs on a very stupid, highly unsuccessful website I built for a few thousand bucks more.

If I can rally such idiots to produce algorithms at a price equal to a steak dinner in New York proper, for something I will never see a return on my investment for, you can be assured that there is someone out there that can crack the encryption on a device left in the back of a government clerk’s car that contains social security and bank account numbers on a million people, just for throwing in a bottle of 1999 Chateau Pichon Lalande.

UPDATE: None of this matters anymore - a scapegoat has been caught, tried, and hung. That’s how it works.

The talk is directed at Bitlocker, the full disk encryption in Windows Vista, but it applies to all similar methodologies.

It’s simple. Fools don’t have physically secure, unencrypted backups. Fools think everything should run like lightning, regardless of the strain on the system. And, of course, fools lose passwords.

Doesn’t sound foolproof.

Might I suggest using virtual disk encryption, like that offered by PGP. It is slightly more cumbersome but puts less strain on the system and the “product” is portable - better design for fools (like me).

Now that is saying something, since it is presently January 6th. No, I’m not the one saying it - some security researchers are, and those researchers are implying it could be the biggest bug of the whole year (but I think that is only because they know Acrobat Reader has a huge install base, and most people are too dumb to bother implementing a patch when it does arrive).

Adobe has been on a decent streak as of late, so no better time to try and kick them down. The bright side of this is that it is free software we’re dealing with, so at least you didn’t pay to have your computer screwed up.

Note: Spamroll wins, however - a new category has been started - Software Bugs! Report quirks at your leisure.

UPDATE: Speaking of free software in need of patching…OpenOffice. I need to do it too, OpenOffice being a great tool for parsing small database tables when readying for import - Excel for Mac does a crappy job at it.

UPDATE 2: Since I’m on a free software binge this morning (while the dog pesters me for a walk), Dr. Dobbs notes that the free TrueCrypt encryption software is a hell of a way to thwart phishers. Check it out.

It is the last day of 2006. What better time for predictions…

From the experts:

• The security threats that will bind us in 2007

• If you are more inclined to make (or lose) money next year, here’s “the take” from the Washington Post

Spamroll says:

• Spam will not end in late January (and Bill Gates will remain mum thereafter)

• Some spyware companies will be getting sued again by February, while the rest change their company name
• The government will quit buying consumer data in March, after determining that who is buying TMX Elmo is in no way correlated with who has a tendency to be a terrorist
• Everyone will be backing up their hard drives by April, but only if external hard drives are free
• They’ll be encrypting them by May, because everyone will be running hacked versions of Vista
• We’ll all take the summer off, since phishers already do
• Back-to-school will piss off millions of children, and not much else
• October will be much like September
• Telcos will implement IPv6 for Thanksgiving, and everyone on the internet will know who everyone else is, once and for all (with the exception of MacBook Pro users, which are already being tracked via heatsink)
• We’ll get a ton of self-serving predictions for 2008, a week early at Christmas

Happy New Year!

UPDATE: Sarcasm does work - someone is thinking about backup.

I am not a lawyer. Let’s repeat, I am not a lawyer. But I am not a criminal (as far as I know), and I am a laptop encryption user (and a fervent believer in it). Now, I am going to opine on a story…

A guy, one Joseph Edward Duncan II, is accused of murder and kidnapping (i.e. the parents were murdered, and the children were kidnapped). The FBI confiscated a laptop of his, and despite their best efforts, they can’t crack its encryption.

The computer key may provide Duncan some negotiating leverage in the next few weeks when authorities file federal charges that are expected to carry the death penalty. ‘Federal authorities are going to attempt to execute my client,’ said Roger Peven, Duncan’s federal public defender. ‘This is something I’d be happy to talk with federal authorities about.’ Peven is the only person other than Duncan to have seen some of the contents of the laptop. He has declined to say what he saw on the computer.

What is right with this picture is that encryption works. If you are storing sensitive personal and business documents on your machine, I’d bet a thief is not going to get into it any easier that the FBI, if properly encrypted. What a great system.

What is wrong with that picture? Well, this human (if you can call him that), killed a family so he could kidnap a couple of innocent kids to satisfy his sick sexual desires. Authorities found one dead child and another in a terrible state. Duncan plead guilty. Now his lawyer, who has seen the laptop contents, is using the laptop as leverage to keep Duncan alive.

Very sad system indeed.

The VA, who lost a laptop then found it, declaring the data had not been tampered with, has decided to listen to the White House. They are taking the high road, and going to encrypt all laptop data (actually, all sensitive data, which I assume includes that which resides on desktops as well).

All I can say is congratulations. They are “getting it.”

With all the talk of net neutrality, government snooping, and telco conspiracies, you’d think that web companies would be worried sick. Yet, nobody is running around like a chicken with their head cut off. Techdirt Mike thinks government meddling is going to increase the use of encryption technologies, and I could not agree more. I also believe that is exactly why those slaughtered chicken imitators are so scarce. Internet buffs (and drooling entrepreneurs) know something the bureaucrats can’t ever figure out - like life itself, technology always seems “to find a way.”

Get ready for open, cheap, hardcore stealth communications of the likes you may have never dreamed about (unless you are Kevin Mitnick or Bruce Schneier or Phil Zimmerman). It will be here sooner than you think.

PS: to add to the mess and the potential for distraction: as EmailBattles notes, more data is stolen from governments via burglary than hacking. The government should be worrying more about lock and key, security door, and window bar manufacturers, which in all their intelligence and glory they will probably move to regulate forthwith.