I have started to use a new open source program called “TrueCrypt” and I wanted to share some of my first impressions.

Data protection is quickly becoming the number one priority in computer security. In fact it could be argued that the data carried on your computer is more valuable than the computer itself. For example, last year the Nashville Election Commission had stolen a laptop containing data on every Nashville voter. With this data a criminal could have assumed the identify of any Nashville voter and done any of the typical “identify theft” things such as opened credit card accounts under that ID, opened/closed utilities, etc, etc. Fortunately Nashville got the laptop back, but the other data loss situations are popping up all the time.

It’s a fact of life that someone is going to lose a computer component that will have sensitive data on it. Be it a laptop, desktop hard drive, backup tape, or USB thumb drive, accidental loss or just plan theft will occur. Of course when that laptop is stolen, did the thief just steal it to pawn for drug money, or was it a calculated attack aim at getting sensitive data? Who’s to say that even if it did get pawned, what if the new owner finds the data and sells it? The only sure defense for your data is to encrypt it, and that is what TrueCrypt does.

TrueCrypt takes different approaches to how it encrypts your data. One method is the concept of using a “virtual drive” or “drive image”. Basically, a “virtual drive” or “drive image” is a file on the hard drive which the OS (Windows in this case) “mounts” as a normal drive in and of itself. So the file in My Documents called “Some_cd_image.iso” is mounted to look like it’s the “L:\” Drive. Any data read or written to the “L:\” Drive actually goes into “Some_cd_image.iso” in My Documents. Mac users are more accustom to this concept because Mac Software from the Internet is generally distributed using a “.dmg” file, which is a drive image. People who “back up” there CD ROMs also work with drive images, because those backups are simply sector-by-sector image copies of the original optical disk. But I digress.

One method for TrueCrypt is to create a file which is then mounted as a drive image. TrueCrypt will then automatically encrypt and decrypt data as it written or read from the “drive”/file.

TrueCrypt can also encrypt whole drives, so rather than having an encrypted file which is then mounted as a virtual drive, you can choose to encrypt an entire thumb drive, or a second hard disk. Again, once the drive in created and mounted, you can read and write data to it just like any drive. TrueCrypt handles the encryption and decryption automatically.

TrueCrypt also has a “whole drive encryption” feature for the system drive. This is the really COOL feature in which you can encrypt your ENTIRE computer. When your computer boots, TrueCrypt will ask for a password (this is the encryption key), after you enter the correct password, your system will boot and run as normal. If your computer is lost or stolen, your data is safe. TrueCrypt isn’t a password, it’s encryption, so even if they thief took the hard drive out and put it into a another system, they would not be able to “see” any of the data on it. Because you only have to enter your password at boot time, there is no consent “in-your-face” element to TrueCrypt, all new data, email, or programs, you put on your system are safe.

TrueCrypt also has some other features which I really like.

1. Total lack of data structure in a secured file. This means that if you had a file you mounted as a drive image, there is no way for anyone to tell what exactly that file is or how full that “virtual drive” might be without knowing your encryption key (password). In fact, a TrueCrypt file is nothing more than random “noise” before you use your encryption key, thus someone could not actually PROVE that the file they are looking at is even an encrypted file.
2. Hidden Volumes and Plausible Deniability. TrueCrypt lets you create a “file within a file”. Let’s say that you have a situation where you are forced by some means to give over your encryption key (password). There are many far-fetched examples on why this would happen such as “someone has a gun to your head”. However a more realistic example would be “you are under court order to turn over a password”. With Hidden Volumes and Plausible Deniability you could have 2 passwords, one opens up your real secret stuff, the other opens up somewhat secret stuff. If forced you simply give up the “somewhat secret stuff” password. There is NO technical way to prove that you gave up the wrong one.
3. Key Files. These are files which you can use in place of, or along with, a password. For example, you have a picture, or ten pictures, which you can use as “passwords”. You simply tell TrueCrypt to use the “hashed sums” from that or those image files as the password. A “hashed sum” is a mathematical representation of a computer file which is always the same so long as the file does not change. What makes the use of “hashed sums” of key files interesting is that you can avoid using the keyboard to input the key to unlock your data. Criminals have used “key board loggers” which record every key stroke to record passwords from victim’s computers.

I have really stared to beat the drum about security with my clients here at TCG. TrueCrypt is perhaps the best tool I have found thus far for the lay-person to help guard against data theft.

The arrogance of the federal government is astounding. On top of everything else they do that irks me, they also feel like they can change time itself.

Just to give some prospective, Modern Daylight Savings Time (DST) was the ideal of a Britton named William Willett, who sought to impose his own “morning person” world view. It was adopted in the US in 1918 as part of the irrational rise of nationalism in the early part of the 20^th century. DST has gone through some adjustments, most recently in 2007 when the switch dates where moved.

I have to admit here that I am somewhat biases against time change. In my line of work I have to keep accurate and synchronized time across a wide variety of computing devises. So twice a year I get the job of going around to 50+ computers, phones, printers, fax machines, etc, and make sure that they ether have made the time jump, or adjust them to match the new correct time. I also have to go to many of my clients and make sure that their computers, phones, printers, fax machines, etc, have done the same. So the Sunday and Monday following a time change is a big headache for me, and enviably something gets missed, or decides to revert/jump and weeks later I’m track down a problem, or worse not finding a problem because the logs are an hour (or two) off. Not only does the “act” of switching cause problems, but also this notion of moving the switch dates also cause its own spate problems. A lot of software, OSes, and time centric hardware have the DST switch dates hard coded into them. So for these legacy systems I have to now set the clocks forward or back on the new switch dates, and then reset them on the old switch dates when they change themselves.

Both in 1918 and in 2007, DST technology has been justified by congress to the public as money saving venture. Well, personally I lose money every time the time changes because of the aforementioned reasons. Finally I have learned that I’m not alone. The Wall Street Journal published an article discussing a paper written by Matthew J. Kotchen and Laura E. Grant, economists at the University of California at Santa Barbara. The article and paper are part of a growing movement to show that DST is neither cost saving nor necessary in the US.

Most of the rest of the world does not observe a DST, and those that do rarely switch on the same dates as we do. So those of us who do a lot of international business also have the additional gripe of having to figure out what time it is in another country based on what day of the year it is. It makes setting up conference calls tricky. If the US did away with DST, I feel that we would set a new standard for the world to follow, and this arcane system would fall away.

I urge everyone to contact their congress critters and ask them to set aside this folly of DST.

Exchange is Microsoft’s “Messaging and Collaboration” server. In plain English, Exchange is the server which an office can use to receive e-mail and share address books and schedules with each other. It is quite possibly the single best product offered by Microsoft, and the one that works most reliably.

Most people think of e-mail in the POP3 dial-up ISP model. They open up their e-mail program and “download” messages from the internet to Outlook Express or Mail.app. Of course anyone who has tried to use the same e-mail address from the office and from home knows the great limiting factor. If you download a message at the office, you won’t have access to it at home or vice-versa. There have been several “hacks” over the years to try and get around this, the most notable one being “leave a copy of mail on server”. But here you are forced to sort through mail that you may or may not have read, and you do not have access to messages to may have already sent, or that you were in the process of writing. The final great downside to this style of e-mail is that you must have an e-mail program configured for each place you may want to get you mail. For most business professionals this turns out to be 3 places, office, home, laptop.

One way of addressing these problems has been the rise of wed based e-mail, yahoo.com, hotmail.com, and gmail.com. While these fix most of the problems with the POP3 model, they still have a few serious drawbacks. Chief of which is that they are not corporate e-mail systems. You lose the professional face of joe.user@mycompany.com in favor of finding an awkward e-mail address with the service, juser-mycomp1977@gmail.com. I cannot over state how deeply unprofessional it is for me to get a business card with an “@aol.com”, or “@gmail.com” address. There are again “hacks” to make web based systems look more corporate, but these systems are still “single user” and thus sharing your data across the office is not easily done.

Enter Microsoft Exchange. Exchange has solved the problem of multiple locations (work, home, road), and the problem of installed software (Exchange can be accessed from either Outlook or via a web browser). Exchange also has the advantage of being a corporate e-mail system (i.e. @mycompany.com), and allowing each user of the server to share out his or her address book and schedule so that other people in the office know what’s going on. Except for answering the phone, it’s about the only communication service/server you will ever need.

Exchange also has a mobile e-mail access feature which is exactly like ubiquitous Blackberry, but without the ridiculous Blackberry costs. Microsoft calls this “Push Email”. A message sent to joe.user@mycompany.com not only shows up in Joes Outlook Inbox, but also a copy is sent to his Windows Mobile Phone. If he reads the e-mail on his phone, the message is marked as read when he sits down at his computer. If he replies to the e-mail from his phone, then the reply is also in his Outlook folders for him to refer back to.

In fact it is the sync of Exchange that is its greatest virtue. No mater were you use it from, Mobile, Outlook, Office, Home, or via the Web, it always looks the same, has the same messages, and the same read/not-read statuses. The Contacts and Calendars are the same. In fact address books and schedules are automatically synced to your cell phone over the air. This means that if you enter an address in Outlook it will be on your phone (no more tying to type in a name and number of the keypad). If you run into someone and schedule a meeting while waiting in line at the post office, you can put that meeting right into your cell phone and then it will show up at the office. No need to plug in your phone to your computer, it just works.

Exchange is not at all expensive. A typical small office can have all of the virtues of exchange, for less than $1500. There are some additional “data plan” coasts from the cell phone provider if you want to use Push e-mail, but those are only $10 to $15 a month depending on carrier, where Blackberry services can be $50 per-month in total or more. Of course your office will also have to have internet access via broadband.