Hi Crispin, Crispin Cowan wrote: > Allen wrote: >> Crispin Cowan wrote: >> >>> It costs organizations big $$$ when a laptop with sensitive data on it >>> is stolen, but that is because they don't know for sure that it has been >>> fdisk'd. >>> >>> More over, if everyone used BIOS and HD passwords that would .... hmmm, >>> not do much at all: >>> >>> * No effect on the market for stolen laptops, see above. >>> * Nearly no effect on the cost of recovery if sensitive data is on a >>> stolen laptop: it just sets a lower bound on the value of the data >>> you can disregard. If the value of the data is below the $2K it >>> costs to recover the drive, then ignore the incident, otherwise >>> proceed with your press release mea culpa >>> >> Actually there is one market you are forgetting - blackmail. How >> much would megabucks corp pay to keep their name out of the >> papers over embarrassing disclosures? >> > Ok ... I considered that to be part of the stolen data cost. So, given > that BIOS and HD passwords are trivially breakable, one should only > store secrets on them that are worth less than the $2000 (or less) it > would take to break the password protection. How is this market different?
What is an e-mail worth? Can you put a value on a mash note? In one sense, sure, by evaluating the consequential damage potential. If the significant other finds out it might result in a nasty divorce with significant costs associated. However, what if the data by itself has no intrinsic value? The easiest way to explain is with an example. You find a key to a house on the lawn at the park. Assume, in the first instance, that you have no clue as to which house it belongs to. Value to a burglar, zip. In the second instance you notice a magazine laying nearby with a name and address on it. You don't know if they are related but they might be. What is the value then? If it is the address then the value of the potential loss is the contents of the house. So a 2 buck item gets a much bigger value when amalgamated with other data. In much the same way what be trivial information on its own can have much greater value when amalgamated with other data. Okay, back to the laptop. Odds are that if you can read the data at all and it is from a large company you could go googling and see what else you can find about the person whose computer it was, their position in the company and their work associates. This then applied to a bit of social engineering could result in a much bigger breach. Or you could go dumpster diving at the company offices and pick up information that could tie into what was found on the computer. Now what value is the data on the computer? A two-bit memo could give enough information to do a pump and dump stock scheme, etc. The possibilities are almost endless. For what it's worth, this type of puzzling things out from bits and pieces is where the CIA gets the overwhelming bulk of it intelligence. But, in a way you are correct that the risks are low that any given laptop is going to be treated this way. Is it worth the cost to mitigate this risk? If I was a salesman for a large company, you bet. For a personal computer, probably as you might have enough data about yourself to enable identity theft. In fact I am hard put to think of a computer used at all significantly that doesn't merit mitigation of the potential risks. Best, Allen _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
