Hi, I can help you understand many of these subjects. HIPAA as put forth by Centers for Medicare Services on behalf of the US Government has partnered with NIST to establish controls for protection of patient data. The end result being that HIPAA data is protected by FIPS-140-2 standards. PHIPA - I'm assuming the name I threw in, is the health regs modeled on the US HIPAA but used in Canada. The Ministry of Health decided to use US NIST FIPS 140-2 standards or better as well. Military uses a mix of FIPS 140-1 to 3 for normal stuff. Funny how the National Institute of Standards and tech would implement standards for the nation. Lazy example 1 you provided is an inaccurate example, I don't think you read the last paragraph, or that you understand the difference between breaking encryption on the phone vs breaking the transmission protocol from phone to carrier. Any phone besides blackberry on the carrier to phone has next to nothing. Lazy example 1 has been mitigated by blackberry. Lazy example 2 - Ok, that is a good example os poor implementation. But so incredibly easy to mitigate, I'm not sure why you linked it. I don't know anyone who uses blackberry desktop, not a BES server. And even if you did use blackberry desktop, your hard drive will already be encrypted to nist fips-140-2 standars if you are in this business anyway. Thanks for the link, I didn't see it. But stupid example. Trolling? I'm open to a nice discussion, you know, what slashdot is supposed to be. IT folks exchanging information. The information I would exchange back to you - in your threat assesment of Blackberry, look at the statistics involved in risk management on this subject. The biggest risk is loss/theft of the physical device. Not backups, not data transmission. You know, #1 in the NIST/FIPS security cycle- Identify the problem. Next line- no phone is secure. Agreed, if there are no wires and no radios, the more it is like a hunk of granite, a device is more secure. But there are more secure devices than others and I stand by my premise that a blackberry is more secure than an iphone and a google phone. I was trying to use an easy example to show you that one device was more secure than the other with the youtube search. I guess the youtube numbers game was not a good choice to try to convince you. I am aware of many problems with modern encryption. Most require more $ worth of GPU power than my data is worth. I'm not interested in the theoretical fun you are. I'm interested in the practical implementation of these technologies. I am also interested in protecting my company from monetary losses incurred from failing to observe federal regulations for processing patient data. I suppose the big difference is that I'm prepared for a US court, you are prepared for what, writing a book about conspiracy theory? At this point I abandon my customer service practice and move on to begging you to put your tinfoil hat back on. (don't forget to run a line to earth ground or it doesn't work)
You have a funny sense of humor. I do like the rotary dial phone on your desk.
I am fairly well versed on FIPS standards for both HIPAA, PHIPA and rusty on DoD work. I 'try' every day... Please return to your assertion that blackberry encryption is weak and comprimised. I will state my challenge to you again in simple plain terms so you might understand before replying this time. 1. Cite articles from sources displaying proof of your assertion. I can't find any. Perhaps you could inform NIST of these breaches so that they can remove the offender from the certified list. 2. Provide details on why cracking iphone encryption comes up a lot on youtube, and blackberry not at all. Here is my link for abundant proof of my claim.- http://tinyurl.com/28wesd6 I'm patient. Take your time.
My first post did not make the assertion that an I enable *any* specific algorithm. My second post did not make an assertion that I was relying on a single algorithm. If you would like to engage an issue I spoke of, please do. I do not understand the tangent you are on.
My developers constantly justify macbook pro's because they say Adobe apps run better on Mac. Last I checked on benchmarks, a Windows machine for less money beats the tar out of a Mac on most of these apps. If they don't want Windows, fine, please let us have linux. Everyone needs to jump on the getsatisfaction page there and chime in to keep development alive. Competition is good.
I challenge you to cite some examples of PGP, Credant, Truecrypt, or Checkpoint disk encryption failing to patch their whole disk encryption. I'll come up with a list many times bigger with holes that are patched. I am here because my job depends on it and I need to keep an open mind. Please educate me.
1. purchase license for remote recovery service. 2. enable service on laptop bios, encrypt drive, enable intel kill switch. 3. now I can see all computer's GPS history in a nifty web portal. It has pretty maps and charts, good manager bait. Now I can set fences based on country, state etc to start a wipe and shut down if it leaves that fenced area. 4. User reports stolen laptop, we report to security service. 5. Remote wipe sensitive directories, execute any custom commands. 6. Alert cops to pick it up, start a timer for kill switch based on battery life. 7. Cops don't pick it up, battery is low, disable machine completely with intel switch (only new part here). If you own a laptop, get in the bios right now and look for computrace activation. If it is a business class machine, it is already there and has been for years. If you don't like it, don't get an aircard. All of this technology is up and running for me and a lot of other corporations. If you don't like it, and you work for me, fine. Quit. If you are a home consumer, disable it. Every other service on your computer is equally vulnerable to unknown unwritten malware.
So you don't have a machine with a built in SSH port? (or remote desktop?) What is really harder? Building a virus to modify a modern BIOS or execute RM -rf? The point of most malware is not to render the computer useless. It is to use the computer in a botnet or extract valuable information. Now where was that tinfoil hat? Maybe I am missing something obvious.
Absolute=lojack the parent company. These guys are late to the big brother party. Lenovo, Dell, HP all come with the SMS activation with no power and gps tracking support in the BIOS. The icing on this cake is that when I report a machine stolen now, sms message goes out, activates gps, cops go after it, and the processor is disabled so if the battery does run out, the machine is useless. The comment 2 up-- You didn't read my comment. We encrypt our drives. While once in a while a crack comes out for this, it gets patched pretty quick. I'm not concerned. I just read a little more, you have to enable it in the BIOS, doesn't come by default. You can also have the full functionality restored.
While I wouldn't say it isn't possible for someone to break in and kill your machine, it isn't likely. We have been using Absolute software's offering and have been able to do remote wipes on laptops for a long time now. Nobody has broken in and wiped out all the computers with this technology. That being said, do you really think IT who implements this doesn't have a backup? And that our legal departments wouldn't get fair compensation if said "gotcha" really occurs? I would rather have the ability to disable a phone or pc in any way possible when I need it to happen. For the comment above about just moving the hard drive to another machine.. Really? Who goes through the trouble of enabling this, and paying monthly for the service and just skips the whole drive encryption bit? My vote is go Intel.
In my experience, things that have undergone more testing generally tend to have better performance. NIST tests the devices, algorithms, policy, etc. They don't wave a magic wand that makes it more secure or take a payoff to say it is just compliant as you state. Saying that no security measure is 100% to prove a point is gutless. Of course it isn't, but a security plan with more thought and research is more effective at meeting it's goals than none. Have countries outlawed iphone because the encryption is too difficult for government agencies to tackle? If it is so easy, why does this happen? Maybe you can link some examples and educate us. I am often wrong and would like some help if this is the case. I find a lot of youtube videos showing any idiot how to break in to any iphone OS version, where are the videos for Blackberry? I for one feel more comfortable having grandmas's ssn on some doctors blackberry than his iphone. Judging from your other flamebait comments, I think I am wasting my keystrokes here.
I disagree with most of the comments here. In my opinion the solution is to continue to use Blackberry and ban iphone, google and MS phones from uses that require security. The nice folks at NIST regularly test Blackberry systems and they continue to pass over and over earning the magic FIPS140-2 certification. Throwing your arms up and screaming "screw it" indicates you are either joking or having a nervous breakdown and need to step down from your IT post. Layered defenses are effective because no one layer may be completely trusted. You have to make the best decision you can per layer and move on. In this situation it is easy. Continue to use only FIPS-140 approved devices. The encryption, security and central management on Blackberry is a lot better than the (none) on the other platforms.
At a large University, Windows XP licenses are trivally cheap. I believe at my last job $5. If you tell them you are running an experiment like this, it is even cheaper. People give M$ a bad rap on licensing. A lot of times it is cheaper than Red Hat when you have a number of computers.
Somehow they took my boring news of Moores's law - My seti@home and primegrid stats are moving 10x faster with my new laptop's gpu. They turned that into - IN THE FUTURE COMPUTERS MIGHT BE REALLY FAST AND MELT YOUR 1960s PASSWORD! It isn't exciting. Quantum computing will come with both encryption and decryption. Nobody cares what it does to your password from 15 years ago.
DES on gawker, here is a link showing you that it wasn't rainbow tables at all. Once again, I'll just say the article above makes no sense. http://www.guardian.co.uk/technology/blog/2010/dec/13/gawker-hacked-password-change