02/28/2012
Full Disk Encryption, the good and bad
0
Feb
28
2012
Since Snow Leopard, OS X machines have been able to encrypt sensitive data on your machine. It has evolved in Lion, and you might indeed want to turn it on, but deciding when and where to do so is something you’ll want to get some background information on.
In the System Preferences page of your Mac, you’ll find the Security Privacy page, which has a tab for FileVault. In Snow Leopard, this would encrypt your User’s Home Directory (./Users/UserName) and nothing else. Good, but that still left a lot of potentially sensitive data unencrypted.
In Lion, FileVault was extended to be able to encrypt the entire system drive. This let you lock up your whole OS X system, including OS binaries and all data that was on the system drive itself. While this still didn’t cover any external drives, it was a huge step forward in data protection.
FileVault in Lion doesn’t seem to slow down processes on Core i type systems, which means that if you bought your Mac after 2009, you probably won’t notice any difference with File Vault enabled. There are some slowdowns on extremely disk-intensive applications (like video editing) but otherwise it should be invisible to you.
The one exception is boot times. Booting up from a powered-down Mac can take a while longer on iMacs and other non-SSD machines when FileVault is on. Personally, it added about 2/3 of a minute to my boot-up times on a 2010 iMac. On an SSD Macbook Air, I noticed no difference in boot times with FileVault enabled, so it appears to be just read/write speed that makes that operation take longer on the iMac and MB Pro.
Now, since only boot times and very intensive applications seem to have any slow-downs, why wouldn’t you use Filevault? Well, there are a couple of reasons:
– You boot into Windows via BootCamp and work a lot with files on your Mac’s system drive. Since the drive is only available while OS X is running, you can’t get into it via BootCamp.
– You use an offline backup tool. This is pretty rare, since most common personal backup software works while you’re logged into your account, but if you back up your Mac while you’re not logged in, there will be issues since the disk is locked out when you’re not logged in.
Otherwise, FileVault is a good idea. Portable devices an be stolen, and using FileVault will help to insure that at least your data doesn’t become public knowledge for thieves. Yes, they’ll still have your Mac – which sucks – but they won’t have access to your bank account information.
Even for non-portable devices, it’s not a bad idea to turn FileVault Full Disk Encryption on. Burglaries do happen, and computers are a hot commodity for thieves. An encrypted system is still lost, but at least your data will not be sitting there waiting to be stolen too.
For external devices, you can encrypt data, but not with FileVault. TrueCrypt is an open-source, free encryption tool that can create a protected directory or even encrypt any non-system drive entirely. Great for use on those removable USB hard drives that might contain private information. There are many tools that can do this, but TrueCrypt is great security at a great price, and actually worth much more than you pay for it (not often true of free software).
So unless you’re editing videos or doing Photoshop work for most of your day, Full Disk Encryption is a good idea. It’s part of the OS, and easy to configure. Not a bad way to take that extra measure of protection without completely changing the way you use your Mac.
02/28/2012
Is your cloud data safe?
0by Mike Talon • newbie2virtual
Today, I went to search for some cloud-enabled task management software. My needs were simple: It had to be able to run on OS X, and it had to be able to sync with iDevices that weren’t on the same network as the Mac. There are lots of tools out there that can do this.
Then I read the fine print.
Either they sync via Bonjour – and therefore only work if you’re in the room with your Mac – or they use a cloud provider to host the data being synced. Sounds reasonable, right?
Not really.
Only one tool I found allowed for non-Bonjour sync and protected my data from being stolen at the Cloud.
Here’s what happens. When you’re doing a non-Bonjour sync, you need to send the data from your desktop to a cloud provider (typically the vendor’s own servers somewhere out on the Internet). That’s all good, and all of the vendors I looked at used https (SSL) connections to get the data to and from the servers. The problem was that the server data was not encrypted.
That’s right, vendors are making a HUGE deal of encrypting the data in-flight, but then storing the data in plain-text on their servers. Granted, they have good physical and at least good-looking digital security, but that didn’t stop anyone in the past from stealing data like credit card info from similarly shielded servers. Data thieves find a way around physical and digital security easily, and a good, encrypted data format is often the only thing that stands between a vendor and a total PR nightmare.
Before I get flamed to death in the comments section, I also realize that encryption can be broken if the thieves are dedicated enough to getting the job done. But that’s no excuse to not even TRY to keep them from reading the data if they get in.
When I went to find a syncing note-taking application, I found the same thing. The leading vendors store the note data in plain-text on their servers, easily accessible to anyone who gets past their firewall. The claim is that they cannot encrypt or else searching wouldn’t be as in-depth as it is now – but again, not offering it at all isn’t acceptable. I – and many other users – don’t use the web interfaces for these things except in dire emergencies. The whole point is that these solutions sync with desktops and smartphones, which can index locally. So web-site-based searching isn’t the biggest thing we’re looking for anyway. We’d gladly exchange a limited amount of lost functionality that we barely use, for better security overall.
Platform as a Service vendors need to wise up and start storing data in an encrypted format. I realize this means that some things like universal server-side search might suffer, but that’s better than having a data thief get their hands on everything as soon as they make it past the security by guessing some server tech’s woefully easy password.
These vendors are sitting on a time-bomb. Sooner or later some high-profile target will use their service. Thieves and hackers will go after that unencrypted data and take everyone else’s they get their hands on in the process.
So, take a few minutes and check that your PaaS vendor is keeping your data safe in the cloud. You might just be surprised to learn that their idea of “data protection” is encryption of the transmission method, but they’ve left the lock off the data sitting on their servers. Telling me that you’ve mined the road doesn’t help me when the thieves find a way through or around it, and proceed to steal all the valuables inside because the front door is made of tissue paper.
By the way, the tools I found were:
Note taking with Notational Velocity on the Mac and Notesy on the iDevices (with thanks to @BMKatz on Twitter) fits my needs. These tools sync via DropBox. While not incredibly well known for data security, DropBox does at least attempt to keep data safe on their servers. If they manage not to have any more “oops, we forgot to turn on password validation for a few hours” moments, they’re going to be doing just fine.
For task management, I use ToDo with DropBox syncing. It is available on multiple platforms and does a great job of showing what tasks I need to do now, and later.
Both sets of tools store local copies of the data too, so if I’m not connected to the net for some reason, I can still work. I can also search quite quickly and easily because they index the data locally too.
Stay safe out there.
Photo Credit: dylancantwell
Share this: