Cyclical Storage Logic (Personal Data)
-
@BRRABill said:
Are you saying you store NO local data on your endpoints? None?
It you want to be secure, of course not. Even the most non-technical end users cannot just hope for a panacea and make no decisions and take no responsibility for decisions. They HAVE to choose what matters to them. Security, recoverability, cost, ease of use.... no one gets everything. No one. There is no single answer. There never will be.
For the average end user, you don't work out of network range. That's a business need or special case.
Don't let special cases drive the needs of the masses.
-
BTW: do you know what does happen to locaally synced OD or ODfB data if you change the password?
I know with, say, Exchange you can remotely wipe the data or device.
My answer for my own system (and which I'll get to later today in yet another thread) is a SSD with encryption. If my laptop gets stolen, it's 0 worry to me.
-
@BRRABill said:
My answer for my own system (and which I'll get to later today in yet another thread) is a SSD with encryption. If my laptop gets stolen, it's 0 worry to me.
Not really end user viable there. End users cannot handle extra layers of security like that.
-
@BRRABill said:
BTW: do you know what does happen to locaally synced OD or ODfB data if you change the password?
It's just local on the drive. It's part of NTFS. Acts like any other file. It is SYNCED.
-
@scottalanmiller said:
Not really end user viable there. End users cannot handle extra layers of security like that.
It is no extra work when set up.
The program I use (Embassy Security Center) uses the same password they log into Windows with. (Assuming they use a password, which of course everyone should be educated to do.)
The computers boots to a password screen, they enter their password, and it automatically logs them into Windows. If you change your Windows password, it syncs with the encryption password.
No extra work.
-
@scottalanmiller said:
It is SYNCED.
So is my Exchnage Online data but I can wipe that if my iPhone gets stolen.
-
@BRRABill said:
@scottalanmiller said:
Not really end user viable there. End users cannot handle extra layers of security like that.
It is no extra work when set up.
The program I use (Embassy Security Center) uses the same password they log into Windows with. (Assuming they use a password, which of course everyone should be educated to do.)
The computers boots to a password screen, they enter their password, and it automatically logs them into Windows. If you change your Windows password, it syncs with the encryption password.
No extra work.
So if they are logged in.... their data is gone. How much does that protect? Would help protect if my stuff is in my luggage and that gets stolen. But not going to protect if it gets swiped from a table at the cafe.
-
@BRRABill said:
@scottalanmiller said:
It is SYNCED.
So is my Exchnage Online data but I can wipe that if my iPhone gets stolen.
That's not exactly synced, not in the same way. It is synced to the device, yes, but not to the file system. It is held inside of the application. And you can only wipe it if the iPhone comes online - which is not how a good thief would use it. If their goal is your data, you don't have any extra protection there.
-
@scottalanmiller said:
So if they are logged in.... their data is gone. How much does that protect? Would help protect if my stuff is in my luggage and that gets stolen. But not going to protect if it gets swiped from a table at the cafe.
If your stuff is in your luggage, I am assuming it would be hibernated or at sleep? It requires a logon after any event such as that.
If it gets swiped from a table at a cafe, and they leave it on forever, then yes, your data would be compromised. But the second they stop using it or the computer gets locked, they are out of luck. You always ask me about scenarios. Under what scenario would you leave a laptop unattended in a public place? Or do you mean just straight run and swipe? What is the probability of that?
-
@scottalanmiller said:
That's not exactly synced, not in the same way. It is synced to the device, yes, but not to the file system. It is held inside of the application. And you can only wipe it if the iPhone comes online - which is not how a good thief would use it. If their goal is your data, you don't have any extra protection there.
And how is said thief going to get into my iPhone, assuming I have a password on it?
-
@BRRABill said:
If it gets swiped from a table at a cafe, and they leave it on forever, then yes, your data would be compromised. But the second they stop using it or the computer gets locked, they are out of luck. You always ask me about scenarios. Under what scenario would you leave a laptop unattended in a public place? Or do you mean just straight run and swipe? What is the probability of that?
Well we aren't talking about me, I don't store anything on my laptop. We are talking about average end users, right? Things that we can pretty much assume about end users:
- They will exert exactly zero effort to secure their data.
- They will not log out of their machines, even when they are asleep.
- They will not watch their stuff carefully while at the cafe.
- They will remain logged on for forever.
-
@BRRABill said:
And how is said thief going to get into my iPhone, assuming I have a password on it?
Same way they do on your laptop... pull the drive and slave it elsewhere.
-
@BRRABill said:
@scottalanmiller said:
That's not exactly synced, not in the same way. It is synced to the device, yes, but not to the file system. It is held inside of the application. And you can only wipe it if the iPhone comes online - which is not how a good thief would use it. If their goal is your data, you don't have any extra protection there.
And how is said thief going to get into my iPhone, assuming I have a password on it?
This assumption that you state here makes encryption and wiping pointless, right? The idea of encrypting and wiping data is purely because the assumption is that the OS can't protect you. If the OS or device were usefully safe, encryption and wiping would have no reason to exist. It is because we know that they can bypass those mechanisms if they want pretty easily that we go further and start to add additional protection to the data itself.
-
@scottalanmiller said:
Same way they do on your laptop... pull the drive and slave it elsewhere.
I was unaware they could do that. I thought the iPhones were encrypted using the passcode as the key, no? Isn't that what the government is all up in arms about?
-
@scottalanmiller said:
This assumption that you state here makes encryption and wiping pointless, right? The idea of encrypting and wiping data is purely because the assumption is that the OS can't protect you. If the OS or device were usefully safe, encryption and wiping would have no reason to exist. It is because we know that they can bypass those mechanisms if they want pretty easily that we go further and start to add additional protection to the data itself.
Right.
I feel every device should require a passcode, and this passcode is used to encrypt the device, like the iPhone does it, and like Bitlocker does.
Yes, it still allows for problems with easy passwords, but provides a TON more protection as a very easy level for the users.
-
@BRRABill said:
I was unaware they could do that. I thought the iPhones were encrypted using the passcode as the key, no? Isn't that what the government is all up in arms about?
Only 10K possible passcodes. Once you have removed the drive I assume that it is not too hard to figure out which one it is.
-
@BRRABill said:
@scottalanmiller said:
This assumption that you state here makes encryption and wiping pointless, right? The idea of encrypting and wiping data is purely because the assumption is that the OS can't protect you. If the OS or device were usefully safe, encryption and wiping would have no reason to exist. It is because we know that they can bypass those mechanisms if they want pretty easily that we go further and start to add additional protection to the data itself.
Right.
I feel every device should require a passcode, and this passcode is used to encrypt the device, like the iPhone does it, and like Bitlocker does.
Yes, it still allows for problems with easy passwords, but provides a TON more protection as a very easy level for the users.
Also introduces a lot of risk. End users are at far greater risk of forgetting their password than of having their systems stolen. It's good to consider physical theft as a risk, but it is important to be reasonable about dealing with what is statistically likely versus statistically unlikely.
-
@scottalanmiller said:
Only 10K possible passcodes. Once you have removed the drive I assume that it is not too hard to figure out which one it is.
If you use the 4 digit one. Which I will agree probably 99% of people do.
It would be interesting to know what happens if you pull the drive from the phone.
Does it have to be in the phone for it to work? For example how Bitlocker works. (Had an issue once where I updated BIOS on a Bitlocker machine. Ooops.)
-
@scottalanmiller said:
Also introduces a lot of risk. End users are at far greater risk of forgetting their password than of having their systems stolen. It's good to consider physical theft as a risk, but it is important to be reasonable about dealing with what is statistically likely versus statistically unlikely.
Right. These scenarios for me ALWAYS involve me setting it up, which requires an Admin account for the Wave software and a ridiculously long password.
-
@BRRABill said:
Does it have to be in the phone for it to work? For example how Bitlocker works. (Had an issue once where I updated BIOS on a Bitlocker machine. Ooops.)
Yup, big risk. Although to someone looking to break in, that kind of issue isn't one.