Bruce Schneier recommends TrueCrypt and PGP full disk encryption programs in this otherwise very useful post last week in the Guardian. Both programs were cracked by the Princeton cold boot attack. He goes on to make this recommendation:
And turn your computer off - don’t just put it to sleep - before you go through customs; that deletes other things. Think of all this as the last thing to do before you stow your electronic devices for landing.
The “other things”, of course being the passwords and encryption tables that these products leave in memory during sleep mode, making them vulnerable to attack. How much of a threat cold boot constitutes remains a pregnant question, given the apparently wide open market for stolen data. The first generation of data security products simply overlooked the fact that portable devices automatically switch into low power consumption modes, and do so frequently. Can you imagine a laptop that doesn’t have sleep mode? PGP, TrueCrypt, Microsoft, Apple and many others can protect data on such an imaginary device quite well.
While Bruce’s long history of eloquent championship of privacy and individual rights is commendable, shouldn’t he avoid recommending products that have known vulnerabilities, or at least more responsibly explain those vulnerabilities? In fairness, some of the bloggers who posted on this issue in the hours and days before Bruce’s post also plugged these flawed products. Some didn’t.The really important question is why isn’t Bruce’s affiliation with PGP spelled out in journalistic pieces when he plugs their products?
If he receives compensation for his role with PGP, his role as a commentator becomes significantly more complex, as the Guardian itself has pointed out here, here, and here. Without specific disclosure of the nature of Bruce’s relationship with PGP, one is left to wonder.
Here’s our disclosure: HyBlue, the sponsor of this blog, produces IceLock, the first laptop data security product that uses web-based, software-as-a-service policy and key management to reduce complexity and cost of ownership. IceLock disrupts the data security market in which PGP is an incumbent vendor. And yes, IceLock stops the Cold Boot Attack. Thus our commercial interest in the subject matter of this post is made transparent.