I'm using an Ironkey at work (have been for about 2 years now) and the thing has been rock solid. However, the main reason I selected it is that it's the only key that I've had the opportunity to trial which is both FIPS 140-2l2 compliant *AND* supports Linux.

I use it with WinXP and MacOSX daily and yes, they do ship with "alpha" Linux drivers. Not full support like Win* but enough to read and write the encrypted data, which is all I really use.

Although the company claims that you can now "initialize" a key on MacOS, all the versions I've used required an initial bootstrapping under Windows before being cross-platform usable.

Hi there! I've been using a Kinesis Advantage keyboard for years now for exactly the first reason you listed (very little use of thumbs). On the Advantage, your thumbs operate: Backspace, Delete, Space, Enter, Ctrl, Alt, PgUp and PgDn. It's fantastic, helped me speed up my typing speed and also cut the annoying wrist pain. (Note: I don't work for them, own stock in them or anything. I just really like the keyboard).

Yet another thing that NASA has done to help society, that people don't know. NASA's Inspector General (IG) played a large role in helping shut this den of crap down.

>Hey, is it any surprise campus security are afraid of Command Line Interface Terrorism?

Maybe I've been in IT too long, but automatically reading acronyms into anything with multiple capitals per word can be very amusing sometimes.

Color coding is great, but you'll want to pick two colors which A) are easily distinguishable in low light situations (Blue/White) and B) are in combinations which people are unlikely to be color-blind (Red/White).

Blue/Green is bad for both of those.

That's a remarkably simple solution!

I'm interested but please elaborate a bit.

1) Define "even vaguely sensitive" data. At which point does information universally become sensitive?
1a) Of particular interest, at which point does NONsensitive information that is meant to be public become, in aggregate, sensitive?
2) Define how the access is to be secured. By protocol would be helpful.
3) Explain how the network of random proxies would be set up so as to obfuscate their government nature while thousands of government employees do their jobs via those links
4) Define how government scientists and engineers, robotics specialists, munitions developers, etc would get their jobs done with no root access to their systems.
5) Describe the code assurance program by which you would ensure that all code running on those systems had no backdoors

Once you've got those details sufficiently mapped out, you can put together a white paper and begin proposing it to the NSA.

One or two forklifts and one 18-wheeler. The data is already pre-packed in a shipping container.

You realize that "Serenity" was not put in place as one of the official names due to any SciFi connection right, and that it's just coincidental that the name means anything the SF fans.... right?

I don't have mod points to mod you (-1, rant) so I'll just ask: Are you actually a parent and do you understand a parents' responsibility to their child?

The OP seems to be doing a lot of things right to me. They're not asking for people to parent for them, they're asking other geeks (who may also be parents) for advice on how to protect the kid when they need to be protected -- so they can cut the kid loose when they're ready for that.

"delegating your responsibilities to everyone besides yourself" would be saying "help, help, we need to ban porn on the internet because I have a kid".

Anyway, get some Xanax or something and bring it down a notch.

I've had fantastic results using OTRS to support both research scientists in a professional organization (8 sysadmins, 350+ scientists), a web-based document repository with a few thousand users (And 2 support staff) and a volunteer parrot rescue with about 50 staff, hundreds of volunteers/adopters and 2 support techies.

It's free, open source (LAMP) and having hacked at the source code I can say that it's VERY Solid and well-written Perl. With mod_perl2 even an older Linux box could handle the load.

That was beautiful.

jotaeleemeese: You're correct that laptops (for large businesses and government) should be no more than thin clients nowadays in many cases - but the article is about "when you have to encrypt absolutely everything". The poster indicated ALL devices getting encryption, which would include desktops, USB keys, CD-ROM media, email and even servers if you took things that far!

Keep in mind, requirements are king. If you have no sensitive data but require a lot of computing power on a workstation, encryption there doesn't make sense. You rob yourself of computing power for no security gain. That kind of balancing act is the core of what makes a good IT Security person.

Excellent, thanks for the post! I hadn't used TrueCrypt in a good while so I am not up to date on their latest status. I'm still nervous about it in a large enterprise but I'd definitely run it through some more tests at this point.

Well put; there are plenty of cases where the data is and should be "lose-able" and if you're doing proper backups that is even more driven home.

Also as aside, thanks for the civilized and intelligent debate! That is getting much harder to find online these days. :)

I agree with you and full disk encryption CAN be a solution to the problems that confront some organizations. However the fact that it can be a solution doesn't mean that it is applicable universally, or is even the most appropriate solution. For example, would you mandate full disk encryption for the disks residing on a server? Why bother, if the server is in a secured area and is never "at rest".

In any case, the shotgun approach is never the appropriate solution to not putting appropriate thought into the process which is what I most object to.

I would never suggest that, because as you've pointed out it's a slippery slope type fallacy. What I wil say to clarify is that it is not an appropriate replacement for the risk analysis process, as it is often used.

Well, when I say "if you have the key" I really mean, having the encryption key. Malicious insiders generally carry out data they've been given access to. Certainly espionage-wise, rival companies or governments are likely to target someone who already has access to the data they want, and get that person to be the leak. If a malicious insider is your threat, disk-at-rest encryption is not going to do much to mitigate that.

I wouldn't go so far as to say there's absolutely no downside to encrypting everything. All encryption has overhead - some products, significant overhead. Then there's either the extra expense of a key management strategy and team plus sysadmin overhead and labor OR the cost of losing data once something bad occurs and the data cannot be recovered.

If his company does an accurate study into their risks and adopts mitigations for them, it might be the case that they only have a relatively minor pool of sensitive information that can be managed server-side through use of things like VMWare ACE, or Citrix, or ... insert appropriate technology here. If they're most worried about laptop/usb key loss then they can adopt things like safeboot or buy Ironkeys/Cruzers/etc.

My main point is that encrypting everything has downsides and he needs to be sure they're worth the gain - the only way that can be done is through risk analysis.