Wednesday, March 5, 2008

Full disk encryption for all!

To echo Bruce Schneier's comments, it's important to encrypt the data on your laptops. Yes, the laptops get stolen, they get lost and your private data is on them. So if you scramble up that data (using an encryption product), then you are somewhat insulating yourself from having that data stolen.

A new attack was introduced by Ed Felten and his band of merry Princeton grad students a week ago, which showed how to steal the encryption key and gain access to hard drive data, even if the data is encrypted. Let's just say, this is not an attack that most of you need to worry about. You are still much better off encrypting your data, than not encrypting your data.

I personally use the FileVault capability within Mac OS X. There are a bunch of 3rd party utilities, but FileVault works fine for me. I don't see any reason to make it harder than it needs to be.

Tuesday, March 4, 2008

There is no 100% security

I've seen a couple of data points recently where folks have published personal information, with the idea that the bad guys couldn't use if for identity theft. They were wrong and pretty stupid for doing it in the first place.

The first is Todd Davis, CEO of a company called LifeLock. I'm actually a customer and they do identity theft protection services. They've built a marketing campaign around this guy publishing his Social Security Number and challenging the bad guys to try to rip him off. You've probably seen the ads.

He did get compromised. How? Basically, there was a failing on the part of a 3rd party that didn't do the proper credit authorizations. This had nothing to do with LifeLock, but he was compromised nonetheless.

The second example is a UK media personality called Jeremy Clarkson. This guy published his bank account and it was then looted by an identity thief. Of course, these are outlandish examples of people doing stupid things to prove a point. And they did just that.

The moral of the story is not to paint a target on your head. There is no way to be 100% secure. That's why credit monitoring and making sure you understand exactly what is happening in your bank and credit accounts is so important. If you know something is an issue, you can start working immediately to fix it and hopefully contain the real damage.

Photo credit: alicetiara

Monday, March 3, 2008

Are you clean? Let Google decide for you.

Interesting post on Roger Thompson's blog here about Google (in their infinite wisdom) deciding to block organic search links to sites they deem "bad." 90% of the time this works and is a good thing. If there is malware hosted on a site, you want Google to be blocking access from the search engine.

But what if there isn't malware there? What if it's a case of mistaken identity? The idea that it could take 12 months to get this fixed would do significant damage to the web sites that are mistakenly accused.

The answer? Actually there isn't one. You should be using a tool like Roger's LinkScanner or McAfee's SiteAdvisor as a matter of practice (yes, it's one of Security Mike's suggestions). But there isn't much you as a user can do besides cutting and pasting the URL into your own browser, which is a pain the backside.

Although hope is not a strategy, we can only hope that Google is right a lot more often then they are wrong...

Image credit: