Comments on: On laptops, sexy pictures, and encryption

By: Jesse Hirsh

Jesse Hirsh — Sun, 24 Feb 2008 21:57:27 +0000

Hi Andrew, I agree with your points re: using encryption, which even in the face of the news you cite, is still worth the trouble.

I however disagree that it’s difficult to find someone who is skilled, trustworthy, and willing to make house calls. Certainly here in Toronto such people are in abundance if you’re willing to look. I also disagree with your rejection of my suggestion that education be part of the process. I feel if you’re paying someone to work on your computer they should also walk you through what they’re doing so you can be empowered by the process.

-jesse

By: Andrew

Andrew — Fri, 22 Feb 2008 19:05:41 +0000

@Benjamin:

I don’t think the specific vulnerability of keys being available briefly in dynamic memory is an argument against mandating encryption. As my colleage Jon Callas of PGP Corp. has said, this is an “edge condition” that occurs rarely:

Callas still thinks the attack is an “edge condition” attack — meaning that it’s an attack that relies on specific and not-common situations. In this case an attacker would need to get access to a computer while it was at the traditional login prompt or within minutes of it being shut down.
http://blog.wired.com/27bstroke6/2008/02/encryption-stil.html

I do think that there are other arguments, as you point out in the article you reference. Mandating encryption makes no sense without understanding the entire business process and the complete threat model. I do think that encryption is under-used in many cases, but it is not a magical technology that will fix everything.

By: Benjamin Wright

Benjamin Wright — Fri, 22 Feb 2008 17:57:24 +0000

Andrew: The story about encryption vulnerability is another reason governments and legislatures are unwise to madate encryption as a data security procedure. http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html