[ale] I have fallen in love with Truecrypt

Fri Feb 11 10:27:23 EST 2011

Work?  No question.  I'm in financial services.  To me, that is a different topic.

I'm talking about personal machine full-disk encryption.

Unless I'm going to extensive measures to hide a cache of pirated music or porn or other things that would be embarrassing if found, I fail to see the need for whole-disk encryption IN MY CASE (before anyone gets their panties in a twist).  So, I asked to get some education on what folks might be using such tech for.

Am I familiar with it?  Sure.  Do I have sensitive docs?  You betcha.  I have a single image with all the goodies in it and use TrueCrypt on my Mac for the few things that shouldn't have prying eyes.  

The whole-disk thing is what is a curiosity to me is all.  Apple gives me the ability to encrypt my entire home directory, but not the volume.  I'm sure that if I researched what the underlying BSD stuff they're using is, I could undertake the task of encrypting my whole volume.

Anywho, just curious.

Now, a different topic:  I use a 2-key password scheme I picked up awhile ago. A portion is in my head and a portion comes from a password grid I've created (8x8, double-sided) that I carry in my wallet.  I use patterns+private key.  So, I could actually give you my password list, and you'd never guess it. I also impose on myself a 30-day password change as well.  I even do this at home.  Not a foolproof system, but secure enough since I don't ever login with any elevated privileges.  I'm even in the "users" group only.  

A couple more notes in-line below.

On Feb 11, 2011, at 9:05 AM, Greg Freemyer wrote:

> Jerold,
> 
> You're a professional sys admin.
> 
> Whether you like it or not, today that means you are part of America's
> counter-espionage team.
> Yes, you are a spook's spook!

I would not assist any agency or representative of the governmental intrusion squad even under threat of incarceration.  If there was research into money or assets stolen from the company I work for, that's a different topic...I will assist to the limits of what my employer requests of me up to, but not further than what is needed to protect company assets or to apprehend said criminals.

> So assume the bad guys crack your network and steal your login /
> password.  (Sys admin login/password is a much sought after goodie.)
> 
> Next assume they are willing to invest many man months crawling around
> your network and getting to know it better than you do.
> 
> What corporate assets do you have privileges to that you don't want
> them to have?
> 
> 1) Anything you have related to security config in general.

...which I would not be allowed to encrypt.  I'm not part of the security team...

> 
> 2) Network / server config docs.

Hosted on that god-forsaken sharepoint travesty (last three companies, in fact!).  Not my responsibility.  

> 
> 3) Specific intrusion / remediation details. Especially if a peer at
> another company gave it to you.

Remanded to the security department, and out of my jurisdiction where I am.  Other companies vary, but now that you mention it, I *am* seeing a trend where security teams are slowly peeling away the hardening/post-mortem duties from Systems Admins, especially in the bigger companies.  That doesn't bode well, methinks.

#!/jerald
Linux User #183003
Ubuntu User #32648
Public GPG Key:  http://questy.org/js.asc

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT/MU d-@ s++(++)>+++:> a+ C++++(+++)$>++ UBLAVHSC++(on)$>++++ P++(+++)$>++++ L++(++++)$>+++ !E---(---)>--- W+(++)$>+++ N(+)$>++ !o !K-- w(--)>--- O()@> M++(++)$>++ V()>- PS+++()@>-- PE(++)@>+ Y+(+)@>+ PGP++(++)$>+++ t+(++)@>+++ 5(+)@>+ X+(++)@>+++ R+(+)@>++ tv-(+)$>++ b+++(++)$>++ DI++++(++)>+++ D++(++)@>++ G++(++)@>++ e++(++)$>++ h(-)$>- r+++(+++)@>+++ y+(+++)>++++@ 
------END GEEK CODE BLOCK------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110211/daad207f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 487 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/daad207f/attachment-0001.bin 