I confess, though I consider myself a spiritual person, I'm not very religious. People born of a particular faith have all kinds of excuses for their lack of observance. But, usually, it just boils down to a matter of convenience. That's not my problem. I take my kids to religious school every week. I Facebook with a rabbi, a minister, a Jogye, a couple Hasidim, and members of an entire profession that most modern religions have determined to be Satan's disciples. I have plenty of opportunity, and ample reason, to pray and ask for forgiveness.

But, for those of you still searching for excuses, here's one less: If you happen to be Catholic, you no longer have to schlep your tuchas to the confessional. Now the "Jesus Phone" will bring the power of the confessional to the palm of your hand. What's more, this app not only received the coveted blessing of St. Jobs himself, but it even got the Pope's blessing for goodness sake. Which is impressive and shows great benevolence on the part of the church, considering that this app clearly duplicates existing ecclesiastical functionality.

I'm impressed that the Vatican is willing to embrace technology with open arms. Science, after all, is not their strong subject. The only question I have is, should one's iPhone become an item of evidence in a legal context, is it possible that this app will confess your sins to the police as well?

For those who believe revenge is a dish best served cold...

Like so many around the country, David Welles has had to endure a long cold Winter this year -- only made worse by the volume of snow in front of his Chicago home, and the untimely disappearance of his snow shovel. While Welles is no better equipped to dig his way out of a snowstorm than anyone else without a shovel, he was perfectly equipped to identify the perpetrator -- or, at least her car. That's because Welles works for a security company by the name of Tunnel Vision Technology, and it appears as though he's been visiting the supply closet.

While we'll presume that David's "eagle eye" came with a receipt, the snow shovel he caught his neighbor stealing on digital video didn't. Under ordinary circumstances, one might turn the evidence over to the police. Then again, under ordinary circumstances, it's not likely there would have been any evidence. But, these are no ordinary circumstances, and these are no ordinary times.

David's shovel was probably worth less than $25, maybe ten on the street. The trail was cold before it was laid. And the "perp" wore gloves, so no fingerprints. This wasn't about money. This was about the age's-old relationship between a man and his tools. Besides, Welles had another idea. He entered an arms race, added a dose of PsyOps... and then he turned to YouTube. The result? What Welles calls, "The Quadrilogy of My Favorite Snow Shovel". See the results for yourself.

(NOTE: If you are ONLY connaisseur of revenge, skip to the mid-point.)

What is the world coming to when our leaders use scare tactics to get what they want? (Rhetorical question, of course.) But that's exactly what happened when backers of the so-called "Internet Kill Switch" evoked images of foreign hackers opening flood gates and drowning citizens.

“We are very concerned about an electronic control system that could cause the floodgates to come open at the Hoover Dam and kill thousands of people in the process,” said Brandon Milhorn, staff director of the Senate Homeland Security and Governmental Affairs Committee. ”That’s a significant concern.”

Not only is that not a significant concern, it turns out not even to be an insignificant concern. But the false information was no insignificant matter to the Bureau of Reclamation, which runs the power-generating facility on the Arizona-Nevada border.

“I’d like to point out that this is not a factual example, because Hoover Dam and important facilities like it are not connected to the internet,” Peter Soeth, a spokesman for the bureau, said in an e-mail. “These types of facilities are protected by multiple layers of security, including physical separation from the internet, that are in place because of multiple security mandates and good business practices.”

Yesterday we posted a poll to get your opinion on this issue. Please take a moment to make your voice heard.

In the aftermath of Egypt and Tunisia's government-imposed Internet shut-downs, there has been a lot of talk this week about the U.S. Senate's Internet "Kill Switch" bill. No one argues that our networks are vulnerable to attack. Senators say they have committed to this power only to protect against "external cyber attacks". This raises several questions and deserves serious debate:

• In a global network, is there really a distinction between internal and external threats?
• Under what circumstances would the President use this power, and with what oversight?
• Could the financial damage of isolating U.S. commerce from foreign customers outweigh the potential damage from attack?
• Does the risk of an "Egyptian-style" shut-down really exist in Western Democracies, and if it does, is it a fair trade-off for national security?

That leads to today's poll question: Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Of course, there are few perfect Yes/No answers in this world. Please feel free to share your comments below, and we encourage you to use the "Like" and "Share" buttons to elicit more opinions from others.

Some have suggested that our legislation would empower the president to deny U.S. citizens access to the Internet. Nothing could be further from the truth.
-Joseph Lieberman (I-Conn.)

In a statement issued this week, Senators' Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), and  Tom Carper (D-Del.) said that their intent was to allow the president "to protect the U.S. from external cyber attacks," not to shut down the Internet.

Aside from the obvious civil liberties concerns, the problem I see is largely a mechanical one, and it demonstrates the Senators' lack of fundamental understanding when it comes to the world in which they legislate: By the time a cyber attack is apparent, it's no longer likely an "external" threat. The most effective attacks known today are distributed amongst a multitude of machines in various locations, making it impossible to protect citizens without shutting down the Internet -- if such a thing could even be accomplished in this country.

The U.S. network infrastructure is much more complex and diverse than that of Egypt. In part, that has to do with the shear differences in scale. But, perhaps surprisingly, it also has to do with the age of our network. Parts of our interconnected network go back five decades. Some interconnected networks predate the Internet itself. And these are interconnected with new infrastructure being added every day without the need for government knowledge or consent.

Most importantly, when the Advanced Research Projects Agency Network (ARPANET) was conceived, it was specifically designed to survive and reroute against an outage. That means, depending on the final draft, the law would likely be either ineffective, dangerous, or both.

The Need

Where do I begin? Even before (maybe especially before) storage devices were portable, they were still vulnerable to theft, due more to their high resale value than the questionable value of their contents. Today, the market value of even a brand-new desktop computer may not be worth the potential consequences of being caught. But, the lucrative identity theft trade has given rise to an entirely different motive for computer, tablet, and cellphone theft. In this case, the device is simply a means to an end.

But theft and the obvious concern over losing such easily and commonly misplaced devices as thumb drives are far from the only reason to encrypt hard drive data. Today, for instance, international travelers may be subject to the copy and search of their hard drives, as authorized by the Department of Homeland Security's U.S. Customs and Border Enforcement's "Policy Regarding Border Search of Information" (July 16, 2008), which, among other things, allows Customs Agents broad discretion to detain "electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search." Regardless of your motivation, encrypting mobile data storage should be high on your list of priorities. Like my AmericanExpress card, I never leave home with out it.

Note to attorneys, medical professionals, or anyone with a fiduciary responsibility: Unlike most professionals, you may have a legal, if not ethical, responsibility to protect your clients' data. Even if a standard for "reasonableness" has previously been applied to "locks" and other 20th century security practices, it may not apply to devices removed from a secure space. Check with your respective associations and/or licensing boards for more information.

Hardware vs. Software Encryption

There are two primary means of data encryption on the market today: hardware and software. The primary advantage of the latter is price and wide-scale availability. While software encryption can be used to protect a part or the whole of a storage device, it can also be applied to nearly any storage device attached to almost any operating system--but not necessarily interchangeably. That is to say that the mechanism for encrypting a device attached to one operating system may not be able to be decrypted on another, and vice-versa. That is not universally true, but your mileage may vary, depending on the software utilized. One more significant disadvantage to consider is the possibility of what's commonly referred to as a "man-in-the-middle" attack. Software encryption and decryption are performed on the host-system. That means that a compromised system can be used to intercept your password, disable your encryption, or worse. While the data within a hardware-encrypted drive is still vulnerable to a compromised system, the encryption method should be isolated. The exception being that a hardware-encrypted device that relies on password entry from a computer keyboard may still fall prey to a malicious keylogger, screen capture, or some form of remote access. In either case, two-factor authentication, utilizing a hardware "key" may largely mitigate this concern.

One more recent concern over software encryption involves a practice referred to as a "Cold Boot Attack", which exploits access to the computer's RAM in search for encryption keys, rather than attempting to physically crack the encryption algorithm.

Hardware-encrypted devices, on the other hand, tend to sell at a premium.  They are also not yet widely available. As discussed below, these devices have yet to gain a firm market foothold. This means that your options are severely limited. But, when implemented just right, they can have a clear advantage over software encryption, with a heavy nod toward external authentication mechanisms, such as keypads and biometrics. Many also have the advantage of performing the entire encryption and decryption process internally, without utilizing any host-CPU. Theoretically, this should have a decided speed advantage, compared to software encryption, which is dependent entirely on the computer's processor to continuously encrypt and decrypt data. A disadvantage, however, is that upgrades are usually out of the question, as most hardware encryption devices are uniquely mated to their internal storage. Conversely, software-encrypted drive partition or directory can often be mirrored, or even just copied to a new device. Which also has some clear advantages when it comes to backing up data.

One other interesting advantage to software encryption is plausible deniability. Or, at least, obsfucation. Some software encryption applications will hide encrypted data within, or along side, unencrypted data in a way that makes it look like unused space. Other features allow for hidden encrypted partitions, and even boot-loaders that make a drive appear to be unreadable or un-formatted.

Software

You know the saying, "You get what you paid for"? It doesn't apply to software encryption. Some of the best encryption software available isn't for sale. At the same time, you're welcome to pay decent money for some pretty questionable applications.

TrueCrypt

I'm just going to start right off with my favorite. TrueCrypt is a free open-source software encryption application for Windows, Mac and Linux. It can encrypt an entire device, just a partition, a directory, or a single file. Decryption can occur after the system has been booted, or you may take advantage of whole-drive pre-boot authentication. Volumes can be hidden with or amongst other data, or an entire operating system can be hidden in the shadow of another, leading a potential intruder to logically assume that the unencrypted operating system is the only operating system. Other features include various models of two-factor authentication, and encryption of removable devices. Encryption can, and in practice does, occur transparently and without user intervention.

Microsoft BitLocker

Similar in some aspects to TrueCrypt, BitLocker is included with all Ultimate and Enterprise editions of Microsoft Windows Vista and 7. It provides for full-volume encryption using 128 bit AES. This feature also offers two-factor schemes to decrease intrusions. Microsoft made an attempt to provide plausible deniability or obfuscation within this software.

Apple FileVault

FileVault encryption comes packaged with Macintosh computers beginning with OS X v10.3 (Panther"). Unlike the products above, FileVault does not encrypt entire volumes, but rather individual directories. Nor have any obfuscation or plausible deniability features been included.

Hardware

Unfortunately, when it comes to hardware encryption devices, sometimes you can't have the best money can buy, unless you're willing to buy a lot of them. Currently, the biggest drawback to these devices is the lack of selection -- especially when it comes to consumer or small business-oriented devices.

Ironkey

Ironkey

Ironkey is one of the best-known encrypted USB thumb drives on the market. At the time of writing, Ironkeys come in "Basic", "Personal", and "Enterprise" models. According to the manufacturer's web site, currently-sold models inlude a rugged metal tamper-resistant waterproof casing, always-on AES 256-bit hardware encryption, and strong authentication. They are also cross-platform compatible (Windows, 2000, XP, Vista, and 7, with or without administrative privileges, as well as Linux and MacOS). Personal and Enterprise models also include a pre-installed secure Firefox browser, password and identity manager, and encrypted backup application. Enterprise models also include a remote-disable and terminate feature for lost and stolen USB drives, as well as a number of administrative features.

Ennova

Ennova OLED Biometric Secure Drive

One of the most exciting looking devices is Ennova's fingerprint scanning encrypted USB thumb drive with a color OLED screen. At least from the visual aid, it appears as though the OLED screen serves double-duty as both a touchscreen for manipulating the device, and a biometric fingerprint scanner.

Unfortunately, the device was due out in 2010 and has yet to been seen for sale. Memory size and pricing specifications are unconfirmed as well. In the meantime, I have my biometrics crossed.

Sandisk Cruzer Enterprise

SanDisk Cruzer Enterprise

Another enterprise-bound device, SanDisk's Cruzer Enterprise includes 256-bit hardware-encryption and two-factor RSA SecurID authentication. What this means for the end-user is integration with the ubiquitous RSA token (pictured), providing a level of security already familiar to security-minded corporations, and already in the hands of their employees. This device, however, is not likely to be available on a one-to-one basis, but appears to be marketed in bulk to large organizations.

Lenovo ThinkPad Secure Drive

Thinkpad Secure Drive

About as utilitarian as they come, Lenovo's ThinkPad Secure Drive looks like it could be mounted to a vault. Encryption is 128-bit AES. With a 500-RPM spinning drive, this drive holds more data than most solid-state devices, and much more than a thumb drive. At 160GB, 320GB, and 500GB, you won't likely use it to encrypt your entire Bluray movie collection, but it might make a suitable backup drive for your desktop, compared with most thumb drives topping out at 64GB or less.

The hardware encryption is externally obvious by the keypad. Meaning that, once the correct code has been entered on the physical keypad, this becomes a standard external hard drive. This also means that this product is not subject to software exploits designed to capture keystrokes or disable encryption software. Nor does it require administrative privileges to operate, or any software drivers. This becomes particularly important when using it across platforms, which it should accomplish admirably.

Fujitsu Intelligent ("Self-Destructing") USB Drive

Fujitsu Intelligent USB Drive

Rather than building Fort Knox on a key chain, Fujitsu's Intelligent USB Drive has a built-in processor and battery that, after a pre-set intervention period, will automatically erase data when it’s plugged into an unauthorized computer. Additional enterprise-bound software interacts with the device to restrict which network devices can and cannot access the device, and can even "self-destruct" if an unauthorized attempt is made. Perhaps most intriguing, Fujitsu is reportedly developing something called "File Redirect" which will prevent data from being transferred from the device to any other device, requiring all manipulation to take place on the drive itself. This is a real departure from other devices, by placing an emphasis on securing authorized user-activity, rather than just unauthorized activity, and loss due to theft or carelessness.

Another innovative device, the Intelligent USB Drive has yet to see the light of day, outside Fujitsu's labs. The photo (left) looks real enough. One has to wonder if the self-destruct feature makes getting this product cleared by Fujitsu's legal department a "Mission:Impossible".

Bottom Line

With the exception of Ironkey, most companies appear to be dipping a toe in the water. I haven't seen a solid commitment to a product line, or even a single product, from most other manufacturers. Instead, they appear to be focusing on space-intensive consumer-oriented personal multimedia storage devices. It's unfortunate, because when it comes to purchasing this kind of product, name and reputation often take a backseat to performance and innovation. That means that this product segment could still be anyone's game. Thus far, it appears as though most challengers have already conceded to Ironkey.

In reality, however, the consumer has to shoulder some of the blame. The lack of interest from the consumer in personal data security makes an investment in a product line a questionable investment. Until consumers demonstrate a real interest and concern for data security, or the enterprises make it mandatory, it's likely to remain a niche market.

Other Locking Methods

There's no school like the old school. These devices eschew advanced algorithms, fancy biometrics, and all matters of cloak-and-dagger, for a combination lock. Though I struggle for a humorous take on what appears to be silly in the shadow of vastly superior technology, I really can't find it. So long as the locks hold, these are really no less secure than any other means, probably less complicated to utilize, not subject to any of the traditional attacks or intrusions, and more affordable.

It feels a bit like comparing a Schwinn to a Ferrari. But, there are many places a Schwinn will take you that a Ferrari can't, and you'll never find yourself stranded due to a dead battery.

oo7 USB Flash Drive

007 USB Flash Drive

I'm not a fan of the name, unless it's meant to convey the same thing as calling a bald guy "Curly" or a fat guy "Slim". And, I'd like to think that James Bond's flash drive might be more than, well, a flash drive. But the concept seems solid. A three digit user-"programmable" combination converts the 007 USB Flash Drive from a combo-lock to a thumb drive. Without the digits, it's useless as a storage medium, but sufficient to secure other forms of storage, like a gym locker. But, the added kicker is, even once the numbers are in order, you'll still have to enter another password once you plug it in. (Let's hope that's not the same as the first.)

This one's still a concept, but who knows?

Lock It Down: Combination Lock for USB Flash Drives

Lock It Down

OK, this physical thumb drive lock only serves one purpose. But, it comes in three colors, and it's available now! It also has the added advantage that it works with any thumb drive. But don't attach it to the end of a USB cable, because that would just be dumb.

This one's hard to find, but there are a number of very similar devices available for a few bucks on eBay (and they come in even more colors).

SecurityDr Data Guard USB Thumbdrive Lock

SecurityDr Thumb Drive Lock

The only obvious difference between the SecurityDr and the product above is that it's bigger and comes in no color options. But, it includes a free FTC ID Theft Protection Manual, and it's available at Amazon.com right now. (Note: For what it's worth, you can download the FTC's ID Theft Protection Manual HERE for free.)

Last month the US Federal Trade Commission testified before Congress in order to establish "Do Not Track" legislation, challenging companies to either self-regulate, or face potentially stiff laws prohibiting the tracking of Internet users. This week the US Department of Justice testified before congress to establish regulations requiring data retention for the purposes of investigation and prosecution.

"Data retention is fundamental to the department's work in investigating and prosecuting almost every type of crime," US deputy assistant attorney general Jason Weinstein told a congressional subcommittee on Tuesday. "In some ways, the problem of investigations being stymied by a lack of data retention is growing worse." Weinstein acknowledged that greater data retention requirements raise legitimate privacy concerns but "any privacy concerns about data retention should be balanced against the needs of law enforcement to keep the public safe."

Emphasizing the vast disparity between the testimony of  these two Federal organizations is the following statement from the FTC's own prepared statement to Congress expressing a principal of "reasonable security and limited retention for consumer data" among companies collecting sensitive data.

"A key to protecting privacy is to minimize the amount of data collected and held by ISPs and online companies in the first place," according to John Morris, general counsel at the non-profit Center for Democracy & Technology. "Mandatory data retention laws would require companies to maintain large databases of subscribers' personal information, which would be vulnerable to hackers, accidental disclosure, and government or other third party access."

The DOJ's request would require "an entire industry to retain billions of discrete electronic records due to the possibility that a tiny percentage of them might contain evidence related to a crime," says Kate Dean, executive director of the Internet Service Provider Association. "We think that it is important to weigh that potential value against the impact on the millions of innocent Internet users' privacy."

A byproduct of life in the 21st Century is that many of the perks of a post-centennial lifestyle require the abdication of a fair bit of privacy to cyberspace. That means that the paper records that once required a search warrant to read (and maybe the forceful extraction from your cold-dead-hands), are now in the possession of companies who don't. Of course there's Facebook and Twitter. Those didn't exist in the 20th. Century. But, what about your phone records and email? While your phone company has long been subject to a warrant or subpoena, in the 21st. Century new "self-service" tools have been developed to help telcos manage the onslaught of requests made particularly attractive by the fact that most of us carry what amounts to a homing-beacon in our pockets. Similarly, while email has always been an attractive source of discovery, until recently most of it resided on each correspondent's physical, and virtual, desktop waiting to get written-over by something more current. Today, it's more likely been put out to pasture in a seemingly-endless "server farm", waiting to be picked by a custodian of records.

Even our personal computers, which have always required a search warrant, and often require a cascading series of search warrants covering various regions of storage space and categories of searches, are rapidly being replaced by windows to the web -- sleek sheets of glass and sculpted-aluminum that act as a portal to your virtual existence. Like a supermodel, these tablets are thin and beautiful, but two-dimensional, with very little substance inside. What makes these devices a reality today is a combination of near-ubiquitous Internet connectivity and access to your personal online data once it's established. Even the notion of "backing up" is becoming a thing of the past, because the data you see, isn't really here. It's somewhere else, presumably safe from destruction, but not necessarily from dissemination. Like many things in life, it's a trade-off.

But, not when it comes to fighting crime. The shift of discovery from physical space to cyberspace is a decided advantage for law enforcement. In fact, Google reports that it responded to more than 4200 discovery requests in the first-half of 2010 alone. One of the reasons these requests have become so popular is that online data is easier seize than a laptop, and often much more useful. Much of what can be had requires no search warrant at all, and thanks to online tools, can be had without even so much as contacting the service provider. Why? Because, unlike the data on your hard drive, you don't necessarily own your data when it's stored in cyberspace.

The Electronic Communications Privacy Act was enacted by Congress in 1986 -- long before most people had access to the Internet, email, or a cellphone. When Mark Zuckerberg's only friends were his stuffed animals. Mind you, it was revolutionary for it's time -- enacted to extend government restrictions on wire taps from telephone calls to also include transmissions of electronic data by computer. But, it doesn't address current evolution. Today, far more can be gleaned from a historical records search than any telephone wiretap. Perhaps that's why last year the Department of Justice argued in favor of warantless email searches. Or why in the same year the DOJ argued that cellphone users had abdicated any expectation of privacy by using a service that stores location data.

Read more at http://www.nytimes.com/2011/01/10/technology/10privacy.html?_r=2&pagewanted=2&ref=technology

Careful What You Click F

Actress Winona Ryder doesn't use the Internet. She just got her first smartphone, but finds it unpredictable. She had a laptop, but rarely used it.

She's fearful of technology. And that just might make her smarter than you.

As evidenced in her "Late Night" interview with Jimmy Fallon, these days, such concerns are the fodder for comedians. It's the current equivalent of being afraid to drive or swim. In the late 20th. Century, it might have been a fear of handing one's money over to an ATM machine. Or more recently, making a purchase online. But, well over 30,000 people died in car accidents in 2009. Another 24,000 were injured. In a similar period, more that 3000 people died from drowning. Fear is not necessarily a bad thing. Not if it keeps you safe.

Most of us either fear what we don't know, or fear what we do. There's also a whole complicated subset of irrational, or misguided fears that really fall into the first category. According to her own interview, Ryder falls into the former classification.

Ryder told Fallon, "We're a button away from joining Al Queda!"

How many times have you accidentally opted yourself into joining a mailing list because you forgot to un-approve your pre-approved consent? What about that time when you accidentally installed a bunch of "trial-ware" that came along with a program you legitimately wanted to use. Somewhere, before or after the end-user-license agreement you didn't read, it may have been an option. In the 90's one of my attorney-client's accidentally sold a good investment when he was dabbling with online day trading. I have met people who accidentally purchased cars on eBay. Meanwhile, I promise (though I don't recommend confirming it) that many forms of contraband are just a few clicks, or even a typo, away from where you sit this very moment. Last Summer I gave National Public Radio (NPR) a glimpse into just how easy it can be. Even if you bleed apple pie filling, you're still just a click away from looking like someone else.

I haven't tried it myself, but I'll bet joining Al Queda requires, at least, the completion of an annoying CAPTCHA in order to submit a membership application.  While I'm sure Ryder has no interest in joining, just the accusation, or even a rumor, that she ever supported a terrorist organization, or had some other frighting interest, could be just as detrimental. Remember Christine O'Donnell, the Republican Party's most famous witch? In some parts of the country that's harder to understand than extremism.

Ryder: "We're a button away from joining Al Queda."

Remember, Ryder works in the industry that was most famously asked, "Are you, or have you ever been a member of the Communist Party?"

Maybe -- even if unwittingly -- she's on to something. Maybe we'd have several thousand fewer vehicular deaths every year if more drivers understood the engineering that goes into the highway, or a car, it's tires, or even just its brakes and safety systems. Sure, it might scare a few people out of driving altogether. But it might make the rest think a little harder before they accelerated into a turn, or tried to beat a red light across a wet intersection. Maybe, if more people really understood the Internet better before hopping on the "Information Superhighway", law enforcement might have fewer accidents to investigate.

Show of hands: How many people have a reasonable expectation of privacy when you send an email? It turns out, as late as December 2010, you may have had no reasonable expectation of privacy when it came to your email correspondence -- at least that was the opinion of the United States Department of Justice (DOJ). And, between your Internet Service Provider's (ISP) Terms of Service (TOS), and the 1986 Stored Communications Act (18 U.S.C. §§ 2701-2712), you may not have under various circumstances.

M. Scott Koller, of McKennon | Schindler in Newport Beach, CA has written a very comprehensive overview of the decision, why it was ever in doubt, and the 1986 act that got us here in the first place.

Read more at http://www.reasonableexpectation.com/2011/01/09/stored-email-protected-by-the-4th-amendment/