Britain’s Privacy Chernobyl
December 15th, 2007How to Secure Your Computer, Disks, and Portable Drives
Computer security is hard. Software, computer and network security are all ongoing battles between attacker and defender. And in many cases the attacker has an inherent advantage: He only has to find one network flaw, while the defender has to find and fix every flaw.
Cryptography is an exception. As long as you don’t write your own algorithm, secure encryption is easy. And the defender has an inherent mathematical advantage: Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do.
Unfortunately, cryptography can’t solve most computer-security problems. The one problem cryptography *can* solve is the security of data when it’s not in use. Encrypting files, archives — even entire disks — is easy.
All of this makes it even more amazing that Her Majesty’s Revenue & Customs in the United Kingdom lost two disks with personal data on 25 million British citizens, including dates of birth, addresses, bank-account information and national insurance numbers. On the one hand, this is no bigger a deal than any of the thousands of other exposures of personal data we’ve read about in recent years — the U.S. Veteran’s Administration loss of personal data of 26 million American veterans is an obvious similar event. But this has turned into Britain’s privacy Chernobyl.
Perhaps encryption isn’t so easy after all, and some people could use a little primer. This is how I protect my laptop.
There are several whole-disk encryption products on the market. I use PGP Disk’s Whole Disk Encryption tool for two reasons. It’s easy, and I trust both the company and the developers to write it securely. (Disclosure: I’m also on PGP Corp.’s Technical Advisory Board.)
Setup only takes a few minutes. After that, the program runs in the background. Everything works like before, and the performance degradation is negligible. Just make sure you choose a secure password — PGP’s encouragement of passphrases makes this much easier — and you’re secure against leaving your laptop in the airport or having it stolen out of your hotel room.
The reason you encrypt your entire disk, and not just key files, is so you don’t have to worry about swap files, temp files, hibernation files, erased files, browser cookies or whatever. You don’t need to enforce a complex policy about which files are important enough to be encrypted. And you have an easy answer to your boss or to the press if the computer is stolen: no problem; the laptop is encrypted.
PGP Disk can also encrypt external disks, which means you can also secure that USB memory device you’ve been using to transfer data from computer to computer. When I travel, I use a portable USB drive for backup. Those devices are getting physically smaller — but larger in capacity — every year, and by encrypting I don’t have to worry about losing them.
I recommend one more complication. Whole-disk encryption means that anyone at your computer has access to everything: someone at your unattended computer, a Trojan that infected your computer and so on. To deal with these and similar threats I recommend a two-tier encryption strategy. Encrypt anything you don’t need access to regularly — archived documents, old e-mail, whatever — separately, with a different password. I like to use PGP Disk’s encrypted zip files, because it also makes secure backup easier (and lets you secure those files before you burn them on a DVD and mail them across the country), but you can also use the program’s virtual-encrypted-disk feature to create a separately encrypted volume. Both options are easy to set up and use.
There are still two scenarios you aren’t secure against, though. You’re not secure against someone snatching your laptop out of your hands as you’re typing away at the local coffee shop. And you’re not secure against the authorities telling you to decrypt your data for them.
The latter threat is becoming more real. I have long been worried that someday, at a border crossing, a customs official will open my laptop and ask me to type in my password. Of course I could refuse, but the consequences might be severe — and permanent. And some countries — the United Kingdom, Singapore, Malaysia — have passed laws giving police the authority to demand that you divulge your passwords and encryption keys.
To defend against both of these threats, minimize the amount of data on your laptop. Do you really need 10 years of old e-mails? Does everyone in the company really need to carry around the entire customer database? One of the most incredible things about the Revenue & Customs story is that a low-level government employee mailed a copy of the entire national child database to the National Audit Office in London. Did he have to? Doubtful. The best defense against data loss is to not have the data in the first place.
Failing that, you can try to convince the authorities that you don’t have the encryption key. This works better if it’s a zipped archive than the whole disk. You can argue that you’re transporting the files for your boss, or that you forgot the key long ago. Make sure the time stamp on the files matches your claim, though.
There are other encryption programs out there. If you’re a Windows Vista user, you might consider BitLocker. This program, embedded in the operating system, also encrypts the computer’s entire drive. But it only works on the C: drive, so it won’t help with external disks or USB tokens. And it can’t be used to make encrypted zip files. But it’s easy to use, and it’s free. And many people like the open-source and free program, TrueCrypt. I know nothing about it.
This essay previously appeared on Wired.com.
Why was the UK event such a big deal? Certainly the scope: 40% of the British population. Also the data: bank account details; plus information about children. There’s already a larger debate on the issue of a database on kids that this feeds into. And it’s a demonstration of government incompetence (think Hurricane Katrina). In any case, this issue isn’t going away anytime soon. Prime Minister Gordon Brown has apologized. The head of the Revenue and Customs office has resigned. More fallout is probably coming.
[…]
http://www.schneier.com/crypto-gram-0712.html
UK’s privacy Chernobyl:
http://www.timesonline.co.uk/tol/news/uk/article2910705.ece
http://news.bbc.co.uk/1/hi/uk_politics/7104945.stm
http://politics.guardian.co.uk/economics/story/0,,2214566,00.html
http://www.timesonline.co.uk/tol/news/uk/article2910635.ece
http://www.theregister.co.uk/2007/11/21/response_data_breach/
U.S. VA privacy breach:
http://www.wired.com/techbiz/media/news/2006/05/70961
PGP Disk:
http://www.pgp.com/products/wholediskencryption/
Choosing a secure password:
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
http://www.iusmentis.com/security/passphrasefaq/
Risks of losing small memory devices:
http://www.schneier.com/blog/archives/2005/07/risks_of_losing.html
Laptop snatching:
http://tinyurl.com/fszeh
TrueCrypt:
http://www.truecrypt.org/
Of course, we now know that authorities cannot tell you to decrypt your data for them in the USA. If you insist on working for and in fascist countries or countries with fascist legislation like the United Kingdom, Singapore and Malaysia, then you must expect that your rights disappear the moment the tires of the airplane touch the landing strip in these places, and that you may be subject to a decryption order. Much better to carry a blank laptop with you and then log into your system over an encrypted link rather than carry fully loaded email clients with you.
You can fully expect all of these bad laws to be dropped once businessmen from the United Kingdom, Singapore, Malaysia and other countries get their laptops copied wholesale, or when people stop doing business with them out of principle…ummmm probably not going to happen, right?
Avid readers of BLOGDIAL will remember the utter nonsense of the Sudanese government stealing laptops:
The government of Sudan started seizing and quarantining laptop computers for inspection last week, ostensibly to stem the import of pornography and seditious material.
remember now?
Apparently it occurred to government officials that they didn’t understand what was in the devices and that the devices might be the conveyance for objectionable material.
A beautifully understated assessment :)
The immediate effect of the quarantines and data inspections is sure to be a dampening of business interest in an already risk-fraught environment. Over the long term, however, silly rules regarding technology tend to be corrected by individuals’ use of even more advanced technology. Governments rarely win this sort of oneupsmanship.
And so on:
http://irdial.com/blogdial/?p=453
I have been encouraging the adoption of PGP/GPG for ages. The tools to use it are now as easy as switching a light on and off, even if the underlying concepts remain impenetrable to all but people with A-Level maths. If you have the time and the need for it, you can use it with ease. It is possible to do everything you need to do without it, but do not complain that people are reading your email; those complaints are what is unacceptable today.
There has never been a time in man’s history where you could communicate in complete, guaranteed privacy over any distance. No surveillance system can break into properly deployed PGP/GPG communications. All those who complain about the government monitoring their email but who do not use PGP/GPG do not get and cannot expect any sympathy.
You have an umbrella, yet you prefer to get soaked to the skin when it rains.
You have fire, but you choose not to light it and to stay damp and wet.
That is called STUPIDITY and there are no two ways about it.