Shostack + Friends Blog Archive


Do you feel like we do?

As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like “The actual risk is thought to be minimal, since a password is required to login to the missing computer”.
Such statements are sufficiently numerous that the pre-eminent source of breach data,, have issued a comment [link to no longer works] the topic.
I recently had an idea which I honestly think might be very useful (or pathetically impotent).
I report, you decide.
The idea is simply this:
Creating some sort of on-line document and getting infosec experts/practitioner/luminaries to add
their names to it. The document would be akin to an on-line petition, except that it would not be asking for something, it would be stating a position — as I envision it would be a couple of paragraphs, pointing out the technical facts (in lay terms) that “recovery” CDs can completely bypass OS passwords, that the better state breach laws exempt encrypted data alone for a reason (Indiana is a perfect example, having had their loophole closed so recently), that any safeguard is only as good as the threat model behind it, and that operating system passwords were not intended to be defense against a threat which bypasses the operating system completely.
When the press perpetuates the canard (and I am aware of it), I’d dash off a letter to
the editor which particularizes things, and which points to this on-line
document. Hopefully, this would raise awareness.
My thinking here is that many of us with an infosec and privacy background “get it”, but that the press has relatively little access to us. Human nature being what it is, the path of least effort is often followed, and press releases are reprinted, without regard to their technical accuracy
Is this a crazy idea? If so. please comment. If you think it makes sense, comment about that.
If there seems to be solid support, we can work out the details and make it happen.

[Edited July, 2017: Not sure if the image here is the one Chris meant, but the old one was missing.]

6 comments on "Do you feel like we do?"

  • Andrew Yeomans says:

    We should try to agree on terminology to help the news reporters. Since, from a user’s perspective, an encrypted hard drive is protected by a password. In a number of press reports it’s unclear what type of password was used, an encryption key or an OS password.
    Maybe we need to keep asking “was a strong encryption password used?”. Unless you can think of a better phrase.

  • rybolov says:

    A Position Paper is exactly what you need. Then you push the paper out in a press release… “blah blah releases position paper on how OS passwords are ganked”. Pay $80 or whatever to get it pushed out on a reputable newswire and suddenly you’re the consulted expert on data breaches instead of preaching to those of us who know already.
    It’s a fine art (or voodoo), but it’s PR/Marketing 101. I’m not the end-all expert on it, but if you need a hand, give me a call.

  • Chris says:

    No worries on PR Voodoo 101, rybolov :^) I can handle that part. I guess I was really asking whether folks would be willing to add their names to this position paper so that “blah blah” is not one guy but is instead “dozens of information security, privacy, and fraud investigation professionals” or some such.

  • Alan Moe says:

    I think this is good idea, and I would gladly sign as one of the “dozens of information security professionals.”
    Andrew is right on that explicit language is required, however. The problem with common statements about lost hardware is that “password protected” could mean a password protected encrypted hard drive, or it could mean “runs Windows XP professional or Linux, and it asks for a password when you boot.” The average news consumer doesn’t know that there is a difference.

  • jon says:

    This is an excellent idea. An approach that could work well in a situation like this: a relatively short “open letter” (perhaps constructed jointly by an initial group of security professionals), with a signature thread on a blog where people can join in whole and in part along with some optional additional comments.
    The advantage of this approach is that it’s very inclusive: security professionals across the US and the world can join in, and each provide some additional perspectives.

  • Matt says:

    I think it is an excellent idea but getting people outside of security to pay attention to it would be hard as I’m sure you know. As we all know, encryption is only as good as the key and algorithm used. Maybe if we all blogged about it, dugg it, and twittered it, it would reach critical mass in the tech savvy world at least.

Comments are closed.