Network crypto is not enough: One example of why.
A few days ago, someone mugged one of our tech writers outside her apartment building. She had a laptop computer that was company property, and which contained among other things, an application the company licenses to registered users at a quarter-million dollars a pop, in a release-candidate version that we're not going to be sending out to customers until it's been in testing and doc for another couple of weeks. And all the docs for it (up to that date), And a list of license keys corresponding to various configurations. These license keys are decrypted by the software so it can find out what it's authorized to do on behalf of the user - of course the QA department and Documentation group need a wide variety of them -- including some that would sell to paying customers for upwards of a million dollars. So, there was a board meeting, and some board members and major investors waxed wroth. Odds are, the drive got wiped within hours of being swiped. Odds are, the laptop is sitting somewhere in a pawnshop and the damage to the company has been limited to the cost of a single laptop computer. But slightly longer odds have a much MUCH higher cost to the company: if the mugger realized what the hell he had in his hands, he could match my annual salary by selling it to one of our competitors. If the mugger was hired in the first place by one of our competitors, then... that's not good either. And of course, if he's willing to face a bit dicier risk profiles, and has criminal confederates inside some Fortune 500 companies, he can track our sales and marketing force, and try to undercut us with pirate versions of our software and potentially cost us millions in sales. These are in order of decreasing probability, and the last, while only very remotely likely, is pretty disturbing. And I was sitting there, listening to all the worst-case scenarios, and thinking, "Damn, I wish we had laptops with solidly encrypted hard drives." Enter the key, boot the machine. Wrong key, hard drive appears to be full of random garbage. Encryption handled in the BIOS. The BIOS password protection is garbage for protecting hard drive contents - the hard drives are unencrypted and can just be popped out and stuck into a different laptop of the same model. Bear
Ray, Please tell the make and model of the laptop, where it was lifted and other details that would help a good samaritan recognize it as what you say it is and has in its innards. No disinfo now. No risk insurance scamming, we've been stung by that. Damn hi-value secret-rich laptops are a menace to the underworld and time wasters for undercovers overloaded with a leak-ploy of the spooks copied by the thousands, when even pawnshops have signs about laptops "who you kiddin." The dame chopped and shopped your secrets if they were that, copying spooks ploying a bonus from likeminders with the same venal bosses eager to steal when profits peter, copying the boss spooks copying the leaders of the earth and heaven. Yrs, No. 38769
At 12:45 PM 3/2/01 -0800, Ray Dillinger wrote:
A few days ago, someone mugged one of our tech writers outside her apartment building.
She had a laptop computer that was company property, and which contained among other things, an application the company licenses to registered users at a quarter-million dollars a pop, in a release-candidate version that we're not going to be sending out to customers until it's been in testing and doc for another couple of weeks. ...
Mr. Bear, sorry to hear your company is so fsck'ed. Excellent post, BTW; exemplar. But you don't need bios-level encryption; Scramdisk or PGPdisk are free, reliable, and would completely solve your multizillion dollar worries. Simply use all the space on the laptop as an encrypted drive, and put all the tools and work directories there, so there's no way to get around it. Make it (future) corporate policy ---previously I bet you wouldn't have been able to convince them, but now you can. The next 'mugger' might be the one you fear. ....... Unbeknown to the latter, Marks had already cracked General de Gaulle's private cypher in a spare moment on the lavatory.
On Fri, 2 Mar 2001, John Young wrote:
Ray,
Please tell the make and model of the laptop, where it was lifted and other details that would help a good samaritan recognize it as what you say it is and has in its innards.
It is a compaq armada m700, with 128M memory and 6G hard drive. It got kiped in San Francisco, on the western edge of a neighborhood known as hunter's point. It has already been reported to the appropriate police, but that's mainly pro forma; in the recovery of such items they are nearly useless. The application is called "Neuroserver". It exists in a full GUI development environment/compiler (NSAE) and a windows service (NSRE) with associated runtime admin tools. There's also a solaris version, but that wasn't on the machine she had. If you want to know more about the application, you can ask it about itself - go to http://www.nativeminds.com, turn on cookies and javascript, and follow the "talk to nicole" link. It won't understand you if you get too far outside its subject matter or use sentences too long for it to figure out, but that's par for the course for this moment in time.
The dame chopped and shopped your secrets if they were that, copying spooks ploying a bonus from likeminders with the same venal bosses eager to steal when profits peter, copying the boss spooks copying the leaders of the earth and heaven.
That's an interesting collection of words. Do you suppose it's a sentence? Bear
At 6:28 PM -0800 3/2/01, Ray Dillinger wrote:
It is a compaq armada m700, with 128M memory and 6G hard drive. It got kiped in San Francisco, on the western edge of a neighborhood known as hunter's point. It has already been reported to the appropriate police, but that's mainly pro forma; in the recovery of such items they are nearly useless.
The application is called "Neuroserver". It exists in a full GUI development environment/compiler (NSAE) and a windows service (NSRE) with associated runtime admin tools. There's also a solaris version, but that wasn't on the machine she had.
The sky above Hunter's Point was the color of television, tuned to a dead channel."It's not like I'm using Windoze," she heard someone say, as she shouldered her way through the crowd around the door of the Starbucks, beneath the quartz-halogen floods that lit the docks all night like vast stages; where you couldn't see the lights of Oakland for the glare of the television sky, not even the towering hologram logo of Herbalife, and San Francisco Bay was a black expanse where gulls wheeled above drifting shoals of white styrofoam coffee cups. She'd made the classic mistake, the one she'd sworn she'd never make. She stole from her employers. She kept something for herself and tried to move it through a fence in Sunnyvale. She still wasn't sure how ahe'd been discovered, not that it mattered now, now that Neuroserver was in the hands of Tessier-Ashpool. The Finn was a a Linux hacker, a trafficker in Gnutellaed downloads, primarily in software. In the course of his business, he sometimes came into contact with other fences, some of whom dealt in the more traditional articles of the trade. In assault rifles for lonely Cypherpunks, in JPEGs of Britney Spears, in illegal Scientology NOTS. As she faced the Finn, who had turned the color of television, tuned to a dead channel, she stood, stretched, shook herself. "You know, I figure the one Tessier-Ashpool sent after that Jimmy, the boy who stole the laptop, he must be pretty much the same as the one the Detweiler sent to kill CJ." She drew the fletcher from its holster and dialed the barrel to full auto. --Tim May,channeling Wm. Gibson -- Timothy C. May tcmay@got.net Corralitos, California Political: Co-founder Cypherpunks/crypto anarchy/Cyphernomicon Technical: physics/soft errors/Smalltalk/Squeak/agents/games/Go Personal: b.1951/UCSB/Intel '74-'86/retired/investor/motorcycles/guns
On 3 Mar 2001, at 16:16, Tim May wrote:
The sky above Hunter's Point was the color of television, tuned to a dead channel.
Nice piece, Tim. -- Roy M. Silvernail [ ] roy@scytale.com DNRC Minister Plenipotentiary of All Things Confusing, Software Division PGP Key 0x1AF39331 : 71D5 2EA2 4C27 D569 D96B BD40 D926 C05E Key available from pubkey@scytale.com I charge to process unsolicited commercial email
A touching faith that no muggers read cypherpunks. Or, perhaps more importantly, no-one who might be in the market for cheap 2nd-hand computers. Ray Dillinger wrote:
On Fri, 2 Mar 2001, John Young wrote:
Ray,
Please tell the make and model of the laptop, where it was lifted and other details that would help a good samaritan recognize it as what you say it is and has in its innards.
It is a compaq armada m700, with 128M memory and 6G hard drive. It got kiped in San Francisco, on the western edge of a neighborhood known as hunter's point. It has already been reported to the appropriate police, but that's mainly pro forma; in the recovery of such items they are nearly useless.
The application is called "Neuroserver". It exists in a full GUI development environment/compiler (NSAE) and a windows service (NSRE) with associated runtime admin tools. There's also a solaris version, but that wasn't on the machine she had.
If you want to know more about the application, you can ask it about itself - go to http://www.nativeminds.com, turn on cookies and javascript, and follow the "talk to nicole" link. It won't understand you if you get too far outside its subject matter or use sentences too long for it to figure out, but that's par for the course for this moment in time.
The dame chopped and shopped your secrets if they were that, copying spooks ploying a bonus from likeminders with the same venal bosses eager to steal when profits peter, copying the boss spooks copying the leaders of the earth and heaven.
That's an interesting collection of words. Do you suppose it's a sentence?
Bear
participants (6)
-
David Honig -
John Young -
Ken Brown -
Ray Dillinger -
roy@scytale.com -
Tim May