As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like “The actual risk is thought to be minimal, since a password is required to login to the missing computer”.
Such statements are sufficiently numerous that the pre-eminent source of breach data, Attrition.org, have issued a comment the topic.
I recently had an idea which I honestly think might be very useful (or pathetically impotent).
I report, you decide.
The idea is simply this:
Creating some sort of on-line document and getting infosec experts/practitioner/luminaries to add
their names to it. The document would be akin to an on-line petition, except that it would not be asking for something, it would be stating a position — as I envision it would be a couple of paragraphs, pointing out the technical facts (in lay terms) that “recovery” CDs can completely bypass OS passwords, that the better state breach laws exempt encrypted data alone for a reason (Indiana is a perfect example, having had their loophole closed so recently), that any safeguard is only as good as the threat model behind it, and that operating system passwords were not intended to be defense against a threat which bypasses the operating system completely.
When the press perpetuates the canard (and I am aware of it), I’d dash off a letter to
the editor which particularizes things, and which points to this on-line
document. Hopefully, this would raise awareness.
My thinking here is that many of us with an infosec and privacy background “get it”, but that the press has relatively little access to us. Human nature being what it is, the path of least effort is often followed, and press releases are reprinted, without regard to their technical accuracy
Is this a crazy idea? If so. please comment. If you think it makes sense, comment about that.
If there seems to be solid support, we can work out the details and make it happen.