Re: Newbie naive question, perhaps - - be kind

From: Paul Rubin (//phr.cx_at_NOSPAM.invalid)
Date: 10/16/05

  • Next message: Joseph Ashwood: "Re: Newbie naive question, perhaps - - be kind"
    Date: 15 Oct 2005 20:58:10 -0700

    Arthur <Art7@att.not> writes:
    > I'm merely a potential end user of some form commercial encryption
    > program primarily to protect some sensitive psychiatric case histories
    > (as well as other files) from the curious eyes of the computer service
    > kids.

    You should keep that computer locked away from those curious eyes and
    never connect it to the internet. A laptop locked in a file cabinet
    is probably a reasonable start. HIPAA regulations may require more
    and maybe you should discuss that with a HIPAA adviser. I'm presuming
    you're a psychiatrist in some organization large enough to have a
    computer service department.

    > 1) Some of the commercial programs, such as Cryptainer, seem to suggest
    > that their encryptions are essentially unbreakable: trillions of years
    > of computer time would be required to break their Blowfish and AES
    > encryption schemes in the program. Yet they suggest long passwords or
    > pass phrases to make hacking these passwords "more difficult." They
    > encouraged written questions from potential buyers, but have not
    > answered my question: isn't the program as weak as its weakest link,
    > e.g. the password?? ("Wheel of Fortune" comes to mind: "I'll buy a
    > vowel, please.)

    Yes, that's correct. The word should be a multi-word random
    combination or a nonsense phrase. See for a method
    of creating random combinations. You can also do it with a program, e.g.:

    Rather than rely entirely on a passphrase you could also use a
    hardware token:

    > 2) if these encryption schemes are so unbreakable, and commercially
    > available, why haven't I heard news items describing "terrorists" and
    > their use of unbreakable encrypted e-mail ("tomorrow at 10:15, Sidney,
    > we light the fuse")?

    In fact there has been a huge amount of debate (lots of it hysteria)
    coming from the national security and law enforcement crowds in that
    direction. See for example

    > Can I assume that "hackability" or unbreakability is merely a matter
    > of degree, and that the police or local computer repairman will in
    > all likelihood be intrigued in my newly encrypted data files and
    > e-mail and therefore try all the harder to see what's within?

    Your use of encryption to protect medical (psychiatric) records is
    entirely legitimate and maybe even mandatory under HIPAA. The police
    should not be interested in it. Computer repair people in your
    organization should know better than to try to access sensitive files.
    Why would either police or computer repair people even know about the
    existence of these files anyway?

  • Next message: Joseph Ashwood: "Re: Newbie naive question, perhaps - - be kind"