Skip to content

Too Many Secrets, or, Encrypt Your Disk

Here, we have another story about lost laptops and personal data in the open. I always have two reactions to these stories:

  • Man, I need to turn on FileVault!
  • The real problem is that all our systems are crackable if you know my first dog’s name (Huckleberry) or mother’s Maiden name (Murphy).

SSN? Those are a joke. For example, until a few years ago, UT used them as your student ID. Countless other places use them, and you have to casually hand them out for everything like ordering pizza.

You might as well tattoo your SSN on your fore-head.

As I’ve said before, I’m (theoretically, see below) in favor of living the naked life when it comes to data privacy. I want to protect the integrity and authenticity of my data, but there are very few things I’d want to hide.

Please Don’t Hack the Coté

Sure, I bet there’s plenty that would be embarrassing and would prevent me from running for even Neighborhood Dog Catcher, but there’s nothing that would destroy my life. Such braggadocio is kind of like saying “Bloody Mary” 13 times and hoping she won’t pop out of the mirror.

That is: this is not a invitation to test out my theories. Please do not hack me.

The problem is that our systems are built around keeping data hidden instead of securing our systems. Worse, most of our systems aren’t built around keeping our data hidden or securing our systems, they’re built around punishing people once they’ve cracked the system.


I remember the shock we all had back in the FundsXpress days when we realized how insecure most bank networks are. The amount of security fretting we did was ironic in the face of how insecure the bank system was by nature. As I recall, as long as you had a set of well used golf clubs, you could just ACH whatever amount you wanted from where ever you wanted.

Meanwhile, this was the company whose security culture consisted of The Mighty Kult of Kerberos and all but punching you in the gut if you looked at someone while they typed in a password. Those were all good habits, mind you (a genuine thanks goes to hartmans for putting me through security boot camp way back them); though Kim still laughs at me when I get all uneasy after she asks me for a password.

Direct Hacking

In the end though, our security was strictly CYA in the otherwise incredibly insecure banking world.

Anyone who’s worked for a large company with direct despot has experienced this:

Whoops [the email from HR/accounting will read] we accidently paid you twice, so we’re pulling the money out of your account. H-dog Out!

I mean, we don’t even have email recall on the ‘net, and yet in the world of hard-cash, they can just over-pay you and then pull the money out of your account with a few phone calls.

That system is just a few poorly placed decimal places away from another email:

Whoops! We accidently withdrew $10,000 from everyone’s account. Please fill out these 6 forms and kill a chicken to avoid paying $5,000 in over-draft charges. Sorry! Kisses! P.S.: send all complaints to [email protected]

Baddies are Real

At the group level, it’s probably cheaper to spend less up front and just handcuff the baddies once they commit crimes. At the individual level, of course, it means days of hassle, years of credit report crap, and all together a terrible experience.

What this means is that, despite my desire to live free and reckless with my personal data, I have to worry about encrypting it, peppering numbers and weird characters into my passwords, and all manner of annoying things, like shredding all my bills.

I would say that it means that all software and IT must be equally secure, but we’ve said that forever, and the industry doesn’t listen. Supposedly, Vista will solve all our problems, but I have too much faith in history repeating itself to bank on that. I don’t doubt that the OS will be more secure, but I do doubt that people will use that more secureness if it’s not turned on by default, or even if there’s a way to turn it off. That’s part of the reason that *nix is so secure: there is no other way to run it. And *nix is still hacked.

A SaaSy Poke-Stick

The only upside to all this (aside from revenue for security software), as James pointed out, is that companies worrying about leaking their precious data outside the firewall is totally bogus. As the countless lost laptops and backup tapes show, the IT world isn’t quite playing it’s A-game when it comes to protecting data, no matter how many firewalls are involved.

So, instead of balking at the notion of shooting all the data up into the cloud with much hand-waving about security, we should really be discussing how we can encrypt and protect the data no matter where it is. My hunch is that the cloud will be a lot easier to secure than those tapes in Melvin’s briefcase while he’s tying one off at the Friday’s.

Disclaimer: Microsoft is a client.

Technorati Tags: , , , , , , ,

Categories: Compliance.