Re: Newbie naive question, perhaps - - be kind
From: Paul Rubin (//phr.cx_at_NOSPAM.invalid)
Date: 10/16/05
- Previous message: Peter Pearson: "Re: PIN card"
- In reply to: Arthur: "Newbie naive question, perhaps - - be kind"
- Next in thread: Arthur: "Re: Newbie naive question, perhaps - - be kind"
- Reply: Arthur: "Re: Newbie naive question, perhaps - - be kind"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 15 Oct 2005 20:58:10 -0700
Arthur <Art7@att.not> writes:
> I'm merely a potential end user of some form commercial encryption
> program primarily to protect some sensitive psychiatric case histories
> (as well as other files) from the curious eyes of the computer service
> kids.
You should keep that computer locked away from those curious eyes and
never connect it to the internet. A laptop locked in a file cabinet
is probably a reasonable start. HIPAA regulations may require more
and maybe you should discuss that with a HIPAA adviser. I'm presuming
you're a psychiatrist in some organization large enough to have a
computer service department.
> 1) Some of the commercial programs, such as Cryptainer, seem to suggest
> that their encryptions are essentially unbreakable: trillions of years
> of computer time would be required to break their Blowfish and AES
> encryption schemes in the program. Yet they suggest long passwords or
> pass phrases to make hacking these passwords "more difficult." They
> encouraged written questions from potential buyers, but have not
> answered my question: isn't the program as weak as its weakest link,
> e.g. the password?? ("Wheel of Fortune" comes to mind: "I'll buy a
> vowel, please.)
Yes, that's correct. The word should be a multi-word random
combination or a nonsense phrase. See www.diceware.com for a method
of creating random combinations. You can also do it with a program, e.g.:
http://www.nightsong.com/phr/dice.php
Rather than rely entirely on a passphrase you could also use a
hardware token:
http://www.g10code.de/p-card.html
> 2) if these encryption schemes are so unbreakable, and commercially
> available, why haven't I heard news items describing "terrorists" and
> their use of unbreakable encrypted e-mail ("tomorrow at 10:15, Sidney,
> we light the fuse")?
In fact there has been a huge amount of debate (lots of it hysteria)
coming from the national security and law enforcement crowds in that
direction. See for example
http://www.eff.org/Privacy/Crypto/
> Can I assume that "hackability" or unbreakability is merely a matter
> of degree, and that the police or local computer repairman will in
> all likelihood be intrigued in my newly encrypted data files and
> e-mail and therefore try all the harder to see what's within?
Your use of encryption to protect medical (psychiatric) records is
entirely legitimate and maybe even mandatory under HIPAA. The police
should not be interested in it. Computer repair people in your
organization should know better than to try to access sensitive files.
Why would either police or computer repair people even know about the
existence of these files anyway?
- Previous message: Peter Pearson: "Re: PIN card"
- In reply to: Arthur: "Newbie naive question, perhaps - - be kind"
- Next in thread: Arthur: "Re: Newbie naive question, perhaps - - be kind"
- Reply: Arthur: "Re: Newbie naive question, perhaps - - be kind"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
