皆さん、こんにちは!
Hello Everybody
(Sorry student of Japanese hehe...)
Found this forum while reading up articles on the truecrypt boot loader (namely how to hide it) and thought some of the articles were very good
Besides the introduction, this post is both a plea for other people's opinion's on my specific situation, and hopefully will insight conversation on the topic of the more human element of data security. I believe that if you cannot handle yourself well when being questioned, then technical measures to data security might mean little!
A little about me:
I'm an employed systems/network admin, I.T Manager, and a hobbyist developer (who hopes to one day earn some money from it) who's primary language is C#, but also know some VB6, C, C++.
I have always been paranoid about data security for various reasons (one being the protection of my source code and intellectual property), and have used full disk encryption combined with a tight network firewall, for years.
I work in a very very sensitive and political workplace (a special needs school) where people can be fired for simply saying the wrong thing, and thougherly investigated by police for anything beyond. I am also in a great position of trust. Being the I.T Manager who also built the network from the infrastructure upwards, i have access to everything and am generally well trusted and left to do my daily tasks (mostly) in peace.
I maintain my own arsenal of tools which I have collected or developed over the years. These are stored on my own encrypted network server with VPN access, and on my encrypted personal devices such as my laptop and flash/hard drives.
I also have developed software in my own time for the school to use. Two example pieces are a simple automatic backup system (now admittedly replaced with an open source backup system), and another is a logon events system that performs various logon-time tasks such as drive/printer mapping, hidden command execution, user friendly resource selection dialogs (and soon monitoring facilities). This software for example i wrote mostly in my own time, and i plan to license it out to other schools also. This is why i absolutly will not allow the school any access to the source code, or license key generation software, no matter how many times they claim that 'Anything on school computers is school property'.
Tools of the trade aside, there are also personal artefacts, such as my paid for Skype service which I use as a Vo-IP phone which is nice to have since I have no office phone, and general stuff like VPN clients pre-configured with my access keys. Same for FTP clients as well as saved web passwords for my network's web based data access.
My main defence is that this stuff is kept on my own devices, all of which I have setup a panic hotkey to wipe encryption keys and force a shutdown in an instant. They have also provided me with a nice MacBook Pro (school property) to use for work purposes. Naturally, I make sure never to leave un-secured information on this laptop in case the school suddenly demands access without an announcement.
Since the school likes to assume it owns anything that touches its computers, this is a environment where someone like me must not only secure their property by technical means, but also must hold their own when it comes time for questioning. They are not very technical people at all, but also dont like to hear things they dont understand and will quickly interrupt and demand a quick, easy to understand answer to the question at hand.
Now thats over with (phew) and you have a good understanding of the kind of non-technical but highly politically charged environment in which I work, I present to you the challenge:
How would you handle it, if the school suddenly demanded access to your documents stored on your encrypted work laptop? And if you access it for them and present only safe non-personal work-related data, yet they are not satisfied because they have seen you using more than just what is on the work laptop?
Do you bother to try and explain that your using your own proprietary code to do the work?
Do you tell them your also using personally purchased products?
How do you convince them that any 'extra data' is not actually present on school owned computers, and only available (e.g) on your own home server, or own personal laptop.
I think if one cannot handle a situation like this, and steer the conversation into the direction desired by you and not them, then technical measures such as encryption wont save your butt from being kicked out the door (or even worse, suspected of hideing something more sinister due to the secrecy).
I hope this post makes sense and I'd love to hear some of your opinions on dealing with non-techies in positions of power who demand access to information you damn well know is not rightly theirs!
