Sparkes has now officially left LUG-Radio. His final episode, Season 2 Episode 2, is available for download. I have a mirror copy of the high-quality Ogg Vorbis file available here. Be warned that this an audio recording of Four Blokes Who Talk About Linux And Free Software But Occasionally Say Rude Words – don’t download it if you’re easily offended by bad language. Sparkes also said a few nice things about me in his own blog posting about it, which was good of him. Him thanking me, me thanking him, just like a posh awards ceremony, isn’t it? “And The Award for Funniest Geek From Wolverhampton goes to …” 😀
Comment spam, and indeed comment spam attempts, has subsided a little over the last 24 hours. In particular, the individual mentioned in my previous post has given up at last.
And a bit of schadenfreude, which is always welcome. A number of months ago, I raised a purchase order for a USB flash drive which Head Office blocked, because I hadn’t chosen a “secure” version. I replied that if encryption is required for the data to be stored on it, then we would use GPG or something similar. No, no, no, they said, you must use this USB drive because it has onboard proprietary encryption. I asked them why I should trust the “proprietary” solution, when there is a peer-reviewed, well-trusted and widespread solution (in encryption circles, “proprietary” is an evil word, yet some people Just Don’t Get It). I said that one day, an implementation issue with the security on the USB drive they were suggesting would probably surface, and, guess what it has! The data is indeed ‘properly’ encrypted on the drive, but the passphrase is stored unprotected on the drive too. This is rather like having a bank vault door, which is truly very strong, but leaving the combination codes or keys taped to the door. As the esteemed Bruce Scnneier points out, “screwing it up this badly is impressive”.
Oh, and finally, the second part in my Debian: From Installation To Infinity series will probably be out soon.
USB keys…
never mind just use you iPod instead :-).
And of course this is from HQ where the policy seems to let smb/cifs broadcasts over the WAN, and not address the ‘real’ issues of Windows security rather than messaing with USB key purchasing.
BTW seen 1GB usb key for £81 for the Cowley Road !
Permalinknot address the ‘real’ issues
Well that’s the point really, isn’t it? Although in this case, all the hundreds of individuals they’ve ‘forced’ this particular USB device on are now walking around with something which, if lost or stolen, can be easily read by others without needing to know the password.
I guess the Lexar implementation relies on ‘comparing the user-typed password with the version of it on the device’, rather than the more obvious (and more secure) ‘use a hash of the password as the key’. It strikes me as hard to believe that this was a mistake – it seems more like a deliberate backdoor so that forgetful employees don’t lose their data when they lose their password.
I never recommend that anything sensitive is stored on USB keyrings anyway. There’s not normally any need.
Permalinkworst security – when you THINK you’re secure.!
PermalinkI wonder if the laptops at HQ have encrypted drives??? Why the special case for USB drives?
PermalinkWhy the special case for USB drives?
Quite. I asked them that at the time and they gave no answer other than “USB drives are more easily lost or stolen”, which kind-of misses the point. I don’t think they use any encrypted drives. On our laptop users, those with sensitive data have a PGP-Disk volume – then the encryption is fairly transparent to the user.
Permalinkhmm laptops..
A couple fo jobs back one of my colleagues was a heave Dedian user (more unusual in the late ’90’s).
Anyway he left and went contracting the City. One day he stops at a bar on the way home from work, pops his laptop down at his feet and comsumes a quick beer. 2 Mins later he notices the laptop is gone ;-(
So he trots off to the local police station so he can a crime number for the insurance. The police give him a numer and assure him there’s little chance of him seeing the laptop ever again.
Anyway the next day he gets a call from some chap informing my friend that he’d left his laptop on the 6pm train from Liverpool St. to Ipswitch, the gentleman had found the computer, opened up the case and found his business card it. Could they meet to return his laptop.
My friend how had never been on this train (and no wish to travel to Ipswitch) was gratefull to the security of Debian that had turned his laptop.
the thief had obviously got on the train to go home, opened up tha laptop and on boot was greated by….
Welcome to Debian/GNU Linux
Login:
he’d then realised he wasn’t in Kansas anymore and dropped the laptop then and there……
Another reason not to run Windows on your laptop…..it can’t be sold down the pub/ebay after its been stolen!
Permalinksane comment ahead 🙂
Ok so you’ve alerted the higher-ups at HQ and have they done anything?
PermalinkI haven’t actually told them yet, because I am planning on ordering some more USB drives soon. I am actually *waiting* for them to say “Thou shalt buy [approved make/model]”, just so that I can point out the security vulnerability to them 🙂
Permalink