Podcast: Crypto-Gram 15 May 2006
from the May 15, 2006 Crypto-Gram Newsletter
by Bruce Schneier
* Who Owns Your Computer?
When technology serves its owners, it is liberating. When it is designed to serve others, over the owner's objection, it is oppressive.
You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes.
It used to be that only malicious hackers were trying to own your computers.
Estimates are that somewhere between hundreds of thousands and millions of computers are members of remotely controlled "bot" networks. Owned.
Now, things are not so simple. There are media companies that want to control what you can do with the music and videos they sell you. There are companies that use software as a conduit to collect marketing information, deliver advertising or do whatever it is their real owners require. And there are software companies that are trying to make money by pleasing not only their customers, but other companies they ally themselves with. All these companies want to own your computer.
* Identity-Theft Disclosure Laws
California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen.
Identity theft is the fastest-growing area of crime. It's badly named -- your identity is the one thing that cannot be stolen -- and is better thought of as fraud by impersonation. A criminal collects enough personal information about you to be able to impersonate you to banks, credit card companies, brokerage houses, etc. Posing as you, he steals your money, or takes a destructive joyride on your good credit.
* Microsoft's BitLocker
BitLocker Drive Encryption is a new security feature in Windows Vista, designed to work with the Trusted Platform Module (TPM). It encrypts the C drive with a computer-generated key. In its basic mode, an attacker can still access the data on the drive by guessing the user's password, but would not be able to get at the drive by booting the disk up using another operating system, or removing the drive and attaching it to another computer.
There is a recovery key: optional but strongly encouraged. It is automatically generated by BitLocker, and it can be sent to some administrator or printed out and stored in some secure location. There are ways for an administrator to set group policy settings mandating this key.
Encryption particulars: The default data encryption algorithm is AES-128-CBC with an additional diffuser. The diffuser is designed to protect against ciphertext-manipulation attacks, and is independently keyed from AES-CBC so that it cannot damage the security you get from AES-CBC. Administrators can select the disk encryption algorithm through group policy. Choices are 128-bit AES-CBC plus the diffuser, 256-bit AES-CBC plus the diffuser, 128-bit AES-CBC, and 256-bit AES-CBC. (My advice: stick with the default.) The key management system uses 256-bit keys wherever possible. The only place where a 128-bit key limit is hard-coded is the recovery key, which is 48 digits (including checksums). It's shorter because it has to be typed in manually; typing in 96 digits will piss off a lot of people -- even if it is only for data recovery.
length: 29:33m
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0605.html
by Bruce Schneier
* Who Owns Your Computer?
When technology serves its owners, it is liberating. When it is designed to serve others, over the owner's objection, it is oppressive.
You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes.
It used to be that only malicious hackers were trying to own your computers.
Estimates are that somewhere between hundreds of thousands and millions of computers are members of remotely controlled "bot" networks. Owned.
Now, things are not so simple. There are media companies that want to control what you can do with the music and videos they sell you. There are companies that use software as a conduit to collect marketing information, deliver advertising or do whatever it is their real owners require. And there are software companies that are trying to make money by pleasing not only their customers, but other companies they ally themselves with. All these companies want to own your computer.
* Identity-Theft Disclosure Laws
California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen.
Identity theft is the fastest-growing area of crime. It's badly named -- your identity is the one thing that cannot be stolen -- and is better thought of as fraud by impersonation. A criminal collects enough personal information about you to be able to impersonate you to banks, credit card companies, brokerage houses, etc. Posing as you, he steals your money, or takes a destructive joyride on your good credit.
* Microsoft's BitLocker
BitLocker Drive Encryption is a new security feature in Windows Vista, designed to work with the Trusted Platform Module (TPM). It encrypts the C drive with a computer-generated key. In its basic mode, an attacker can still access the data on the drive by guessing the user's password, but would not be able to get at the drive by booting the disk up using another operating system, or removing the drive and attaching it to another computer.
There is a recovery key: optional but strongly encouraged. It is automatically generated by BitLocker, and it can be sent to some administrator or printed out and stored in some secure location. There are ways for an administrator to set group policy settings mandating this key.
Encryption particulars: The default data encryption algorithm is AES-128-CBC with an additional diffuser. The diffuser is designed to protect against ciphertext-manipulation attacks, and is independently keyed from AES-CBC so that it cannot damage the security you get from AES-CBC. Administrators can select the disk encryption algorithm through group policy. Choices are 128-bit AES-CBC plus the diffuser, 256-bit AES-CBC plus the diffuser, 128-bit AES-CBC, and 256-bit AES-CBC. (My advice: stick with the default.) The key management system uses 256-bit keys wherever possible. The only place where a 128-bit key limit is hard-coded is the recovery key, which is 48 digits (including checksums). It's shorter because it has to be typed in manually; typing in 96 digits will piss off a lot of people -- even if it is only for data recovery.
length: 29:33m
PS: this is my cheat sheet of Bruce Schneier's Podcast:
http://www.schneier.com/crypto-gram-0605.html
posted by omarg at
6:00 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home