TrueCrypt is one option for this and, as Lifehacker tells us today, it now supports Mac OS in addition to Windows and Linux.  For more on how to install and use TrueCrypt on Windows, check out this Lifehacker article.

= = == === =====

Moo, moo…..

That’s how I felt earlier this week going through security at Newark airport. I was recently re-reading parts of Thinking In Pictures : and Other Reports from My Life with Autism by Temple Grandin for some posts on my autism blog, 29 marbles, in which she talks about her job designing cattle chutes for slaughterhouses (she’s world renowned for this, despite [because of?] being autistic. Ever on the lookout for connections between apparently unrelated things, my brain presented me with the following thought: “I wonder if Temple Grandin could come up with a better design for airport security queues?”

Maybe not, but this got me thinking about cross-functional lessons learned. Too often, in my experience at least, lessons learned and best practices are explored only from the perspective of a specific functional area. There is a lot to be learned from looking at stories from similar, but completely different, functions.

Using the case of the airport security queue as an example:

• Many people going through an airport security checkpoint have never done so before (like most [all!] cows at the slaughterhouse)
• For all practical purposes, the way through the process is to simply follow the person in front of you
• Occasionally, you will get redirected by a security person to a different line, told to stop, etc with little or no explanation (as if you don’t deserve it or won’t understand it anyway)
• etc.

The situation of people in a strange (as in unknown) queue system that has no obvious explanation in some ways is not really much different from that of a cow going through cattle chutes. What lessons can we take from Temple Grandin’s success in designing cattle chutes that result in smoother operation and apply to the security line problem?

My real point here is that sometimes you can take insights learned from one thing and apply them to something completely different with great success.

Note: Temple Grandin’s personal choice of a title for Thinking in Pictures was Cow’s Eye View, a reference to how she comes up with her designs. Maybe that’s the simple lesson to be learned here: look at the problem from the point of view of the one going through the process.

= = == === =====

Just as there is a fine line between genius and madness, there is a fine line between appropriate security and paranoia. On which side of that line are you?

Shred your sensitive personal documents before throwing them away? Appropriate security. Spread the shreds in the garden as mulch? Paranoia.

Passwords on your home network? Appropriate security. Issuing smart cards to your wife and kids? What do you think?

For a quick peak into a paranoid security expert’s approach to security, check out Security for the paranoid, which I found via Schneier on Security (one of the few things I make myself check every day).

I have to admit I don’t know if the author is serious or not, mainly because I don’t know him. My first thought when I read it was that he was serious, and seriously paranoid. I know people who think, and act, like this. And, in fact, some of the things he says make sense. For instance:

I frequently see people posting PGP signed e-mails to security mailing lists. It’s not that these people are afraid of someone actually spoofing fake comments from them on the latest CGI flaw; they just make it a practice to sign every e-mail, no matter how trivial it might be. Sure, these people are signing e-mails when it’s really not important, but I doubt they get caught not signing when it is important.

Or

I also delete unused services on my servers. I block unused ports.

But a few things make me think it is just a bit over the top, including:

• I keep my PC’s turned around so I can tell if anyone has installed a hardware keylogger.
• I never check in luggage when I fly.
• It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.

One of the keys to establishing good, and appropriate, security is an analysis of the risk/threat, the consequences of becoming a victim, and the cost of the security measure against the cost. This is what the author of this piece misses, as evidenced by comments such as:

• Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter? Does the threat have to be real to warrant strong security?
• There’s no need to analyze the threat of every situation. Just practice strong security always and you should be okay.
• I don’t do it because I think someone is going to go through my trash to reassemble bits of my research notes. I do it because it’s good security.

I’ve been giving some thought lately to the challenges of enterprise solutions to problems and my belief that “one size can’t fit all”. Though there are some security best practices (for lack of a better phrase) that can be applied in many situations, blind application of these practices to unique situations will likely result in more harm (less security) than it does good.

But the loss of the information not only hinders your ability to do your work, it potentially puts your information, your competitive advantage, in the hands of the “wrong” people. In How to Secure your Computer, Disk, and Portable Drives, security expert Bruce Schneier gives some advice on how to prevent this from happening:

Computer security is hard. Software, computer and network security are all ongoing battles between attacker and defender. And in many cases the attacker has an inherent advantage: He only has to find one network flaw, while the defender has to find and fix every flaw.

Cryptography is an exception. As long as you don’t write your own algorithm, secure encryption is easy. And the defender has an inherent mathematical advantage: Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do.

Unfortunately, cryptography can’t solve most computer-security problems. The one problem cryptography can solve is the security of data when it’s not in use. Encrypting files, archives — even entire disks — is easy.

This is how I protect my laptop.

Schneier goes on to discuss just that, along with some useful information about why he does certain things, such as:

The reason you encrypt your entire disk, and not just key files, is so you don’t have to worry about swap files, temp files, hibernation files, erased files, browser cookies or whatever. You don’t need to enforce a complex policy about which files are important enough to be encrypted. And you have an easy answer to your boss or to the press if the computer is stolen: no problem; the laptop is encrypted.

If you’re serious about securing your laptop, and protecting your information, give this post (and the links from it) a long, hard read. If you’re serious about security in general, you should think about adding Schneier on Security to your feed list.