Cyclical Storage Logic (Personal Data)
-
@BRRABill said:
If it gets swiped from a table at a cafe, and they leave it on forever, then yes, your data would be compromised. But the second they stop using it or the computer gets locked, they are out of luck. You always ask me about scenarios. Under what scenario would you leave a laptop unattended in a public place? Or do you mean just straight run and swipe? What is the probability of that?
Well we aren't talking about me, I don't store anything on my laptop. We are talking about average end users, right? Things that we can pretty much assume about end users:
- They will exert exactly zero effort to secure their data.
- They will not log out of their machines, even when they are asleep.
- They will not watch their stuff carefully while at the cafe.
- They will remain logged on for forever.
-
@BRRABill said:
And how is said thief going to get into my iPhone, assuming I have a password on it?
Same way they do on your laptop... pull the drive and slave it elsewhere.
-
@BRRABill said:
@scottalanmiller said:
That's not exactly synced, not in the same way. It is synced to the device, yes, but not to the file system. It is held inside of the application. And you can only wipe it if the iPhone comes online - which is not how a good thief would use it. If their goal is your data, you don't have any extra protection there.
And how is said thief going to get into my iPhone, assuming I have a password on it?
This assumption that you state here makes encryption and wiping pointless, right? The idea of encrypting and wiping data is purely because the assumption is that the OS can't protect you. If the OS or device were usefully safe, encryption and wiping would have no reason to exist. It is because we know that they can bypass those mechanisms if they want pretty easily that we go further and start to add additional protection to the data itself.
-
@scottalanmiller said:
Same way they do on your laptop... pull the drive and slave it elsewhere.
I was unaware they could do that. I thought the iPhones were encrypted using the passcode as the key, no? Isn't that what the government is all up in arms about?
-
@scottalanmiller said:
This assumption that you state here makes encryption and wiping pointless, right? The idea of encrypting and wiping data is purely because the assumption is that the OS can't protect you. If the OS or device were usefully safe, encryption and wiping would have no reason to exist. It is because we know that they can bypass those mechanisms if they want pretty easily that we go further and start to add additional protection to the data itself.
Right.
I feel every device should require a passcode, and this passcode is used to encrypt the device, like the iPhone does it, and like Bitlocker does.
Yes, it still allows for problems with easy passwords, but provides a TON more protection as a very easy level for the users.
-
@BRRABill said:
I was unaware they could do that. I thought the iPhones were encrypted using the passcode as the key, no? Isn't that what the government is all up in arms about?
Only 10K possible passcodes. Once you have removed the drive I assume that it is not too hard to figure out which one it is.
-
@BRRABill said:
@scottalanmiller said:
This assumption that you state here makes encryption and wiping pointless, right? The idea of encrypting and wiping data is purely because the assumption is that the OS can't protect you. If the OS or device were usefully safe, encryption and wiping would have no reason to exist. It is because we know that they can bypass those mechanisms if they want pretty easily that we go further and start to add additional protection to the data itself.
Right.
I feel every device should require a passcode, and this passcode is used to encrypt the device, like the iPhone does it, and like Bitlocker does.
Yes, it still allows for problems with easy passwords, but provides a TON more protection as a very easy level for the users.
Also introduces a lot of risk. End users are at far greater risk of forgetting their password than of having their systems stolen. It's good to consider physical theft as a risk, but it is important to be reasonable about dealing with what is statistically likely versus statistically unlikely.
-
@scottalanmiller said:
Only 10K possible passcodes. Once you have removed the drive I assume that it is not too hard to figure out which one it is.
If you use the 4 digit one. Which I will agree probably 99% of people do.
It would be interesting to know what happens if you pull the drive from the phone.
Does it have to be in the phone for it to work? For example how Bitlocker works. (Had an issue once where I updated BIOS on a Bitlocker machine. Ooops.)
-
@scottalanmiller said:
Also introduces a lot of risk. End users are at far greater risk of forgetting their password than of having their systems stolen. It's good to consider physical theft as a risk, but it is important to be reasonable about dealing with what is statistically likely versus statistically unlikely.
Right. These scenarios for me ALWAYS involve me setting it up, which requires an Admin account for the Wave software and a ridiculously long password.
-
@BRRABill said:
Does it have to be in the phone for it to work? For example how Bitlocker works. (Had an issue once where I updated BIOS on a Bitlocker machine. Ooops.)
Yup, big risk. Although to someone looking to break in, that kind of issue isn't one.
-
@BRRABill said:
@scottalanmiller said:
Also introduces a lot of risk. End users are at far greater risk of forgetting their password than of having their systems stolen. It's good to consider physical theft as a risk, but it is important to be reasonable about dealing with what is statistically likely versus statistically unlikely.
Right. These scenarios for me ALWAYS involve me setting it up, which requires an Admin account for the Wave software and a ridiculously long password.
Which comes back to... why would normal end users have anything on their local machines to protect anyway?
-
@scottalanmiller said:
Yup, big risk. Although to someone looking to break in, that kind of issue isn't one.
What is a big risk?
-
@BRRABill said:
@scottalanmiller said:
Yup, big risk. Although to someone looking to break in, that kind of issue isn't one.
What is a big risk?
Using tools like Bitlocker. Simple maintenance like BIOS updates can inadvertently scrap your install.
-
@scottalanmiller said:
Which comes back to... why would normal end users have anything on their local machines to protect anyway?
Because they do?
I'm not arguing that cloud storage isn't the best way to go. But I still deal with people who refuse or just can't for one reason or another. (Lot of proprietary software needs to be local.)
I still help them. I'm not going to criticize and move on.
-
@BRRABill said:
I still help them. I'm not going to criticize and move on.
No, but explaining to them that they are creating their own risk and bypassing the natural protections that normal people have is important. Do this still do it because people enable them or because they truly don't understand the risks that they choose to take?
-
@scottalanmiller said:
Using tools like Bitlocker. Simple maintenance like BIOS updates can inadvertently scrap your install.
So my first Bitlocker install i was unaware of that.
Had it installed on a new DELL server, and saved the password to the TPM. Was working like a charm. Until I had to update the BIOS for another issue they were having. Remotely. I was working with a DELL tech, and he said it would not affect Bitlocker. It obviously did. Computer would not boot back up. I Googled and figured out what I did, and spent the night feverishly worrying the recovery key I had wouldn't work. It DID, thank goodness, but out the fear of Bitlocker in me to this day. (Another reason to always have backups, right?)
-
@BRRABill said:
I'm not arguing that cloud storage isn't the best way to go. But I still deal with people who refuse or just can't
What software would that be? I feel like we are randomly jumping between business users and your old uncle constantly in all of these cases. Business users have different needs and need to be treated like a business, not like a senile uncle. Your old uncle needs to be coddled and protected from himself.
-
@BRRABill said:
So my first Bitlocker install i was unaware of that.
But end users are always unaware, that's the risk.
-
@scottalanmiller said:
Business users have different needs and need to be treated like a business, not like a senile uncle. Your old uncle needs to be coddled and protected from himself.
LOL. Yes, I do jump.
But I also work with single person companies who have the same sort of "senile uncle syndrome".
-
@BRRABill said:
Had it installed on a new DELL server, and saved the password to the TPM. Was working like a charm. Until I had to update the BIOS for another issue they were having. Remotely. I was working with a DELL tech, and he said it would not affect Bitlocker. It obviously did. Computer would not boot back up. I Googled and figured out what I did, and spent the night feverishly worrying the recovery key I had wouldn't work. It DID, thank goodness, but out the fear of Bitlocker in me to this day. (Another reason to always have backups, right?)
Yup, the more you encrypt, the more backups matter. But you are encrypting the backups, right? Backups are a common point of vulnerability. Thieves know that hitting backups is often worth way more than hitting running systems.