cold boot attacks on disk encryption
Leichter, Jerry
leichter_jerrold at emc.com
Fri Feb 22 08:30:53 EST 2008
| ...I imagine this will eventually have a big impact on the way organizations
| respond to stolen mobile device incidents. With the current technology, if a
| laptop or mobile device is on when it's stolen, companies will need to assume
| that the data is gone, regardless of whether or not encryption products have
| been deployed.
|
| Anyone familar with the laws in the arena? Are there regulations which require
| reporting only if data on a stolen device is not encrypted?
I believe something like this has been written into law. The reporting
laws are all state laws, so of course vary. The Federal laws often
have "safe harbor" provisions for encrypted data.
Regardless of the law, the broad public perception is that "encrypted"
means "safe". After one too many embarrasments, corporations (and
governments) have learned that "Oh, yes, 150,000 credit card numbers
were stolen but there's no evidence anyone is using them" no longer
works as damage control; but "Oh, yes, 150,000 credit card numbers
were stolen but that's OK - they were encrypted" works fine. (Note
that these announcements don't even bother to discuss what the
encryption mechanism might be - ROT13, anyone?)
Unfortunately, the technical nature of these results - combined with
the "We told you to encrypt everything to make it safe; now we tell
you encryption isn't safe" nature of the debate, is unlikely to produce
anything positive in the general public sphere. People will probably
just shrug their shoulders, figure nothing can be done, and move on.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list