Encryption: Use it, lest ye be thieved.
Each time I go to DEFCON, sniff a network or see an ad for an infosec product, I’m harshly reawakened to the general publics detachment for security concerns. When using a virus scanner, firewall and pop-up blocker, most users seem comforted enough to go about daily business with a satisfactory feeling of a “secure†experience.
A large gap with this frame of thought is of what we’re trying to secure. The most valuable thing on your computer—the stuff you want to secure if nothing else–is your personal data/information, NOT the machine itself. Most white-collar folk, in a worst-case scenario, could cough up the bones to cope with a stolen or broken machine, or re-install the OS after a bad virus attack. The data on that machine, however, may be priceless memories, confidential trade-secrets, or other information which you’d highly prefer to remain private and well backed up. As a resident of Arizona–the new U.S. capital for identity theft (per-capita)–we must recognize that the Bad Guys on the tubes do not have the primary intent to annoy us. They’re trying to make money. Compromising your system is merely a means for collecting sellable usage habits, relaying \/i@gr@ ads, stealing/selling your identity etc. We simply need to recognize that we protect system assets largely to protect our information.
In that vein, one of the largest commonplace no-nos is sending sensitive information over ordinary email. We’ve all done it, and most will continue. Emails can pass through systems that are maintained by people you don’t know and most certainly don’t trust, so don’t be a bonehead: encrypt your email, especially if it’s sensitive material. (If your email client is a horrible bitch-goddess that makes encryption a pain to deal with, please poke the vendor with a sharp stick until they make it trivial.) Mail.app and Keychain Access.app (OS X) make it ridiculously simply to manage and use X.509 public/private keys, which you can obtain for free from Thawte. If you use Mail.app, you’re out of excuses.
Should your machine be stolen, sold, repaired, or otherwise leave your possession, how do you know your not handing over the keys to the kingdom to a complete stranger? You can wipe the drive, but that isn’t convenient if the machine will be returned to you. A simply way is to use TrueCrypt for Windows, encrypted .dmg files for OS X, or encrypt your entire freaking home directory with FileVault. (OS X).
OS X users have no excuse but to encrypt everything. Linux and Windows users may have difficulties, but easy wins are still possible. Encrypt your email. Encrypt your backups. Encrypt your calendar. Encrypt your address book. Encrypt your financials. Encrypt your music. Encrypt your photos. Encrypt your life.
Encrypt everything.
. 07 Sep 06 | Computer
You go a bit overboard. You don’t need to encrypt everything. On my Mac, I have a separately mountable encrypted sparse disk for my most sensitive items. Everything else need not be encrypted including my music and photos. Those I back up, but if you want to steal it, how does it harm me? I have it backed up. I own all of the music on CD. And what are you going to do with my photos? All of my emails are for non-sensitive things, so I fail to see why EVERYTHING needs to be encrypted.
@Ben C, Listen to the man… you would be wise to encrypt everything that is under your control. You may not feel that everything should be encrypted, but the whole point is that IF your data is encrypted, YOU alone control who sees what.
Ben C,
Do you own all that music? If the RIAA raided your house tonight, is there any chance they’d find something which, from a legal standpoint, shouldn’t be there? If you’ve encrypted everything in a manner that they cannot trivially undo, you are protected under the 5th amendment from self-incrimination.
I do not endorse piracy of any kind. I do, however, recognize that there are some legal activities, such as reading usenet, downloading free sample MP3s from amazon.com, port scanning your own network etc, that could be construed as illegal. So, to address your music question specifically, encryption is a means of protecting yourself from frivolous lawsuits.
preston.lee,
If I recall correctly, there have been cases where the existence of encyption software on a computer was enough to find in favor of the RIAA. Spent the last 10 minutes looking for a source. Found nothing so I can’t back that up.