Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.5: Insure that Time Machine runs on FileVault accounts' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: Alrescha on Nov 29, '07 01:04:39PM

noworryz:

"The worst thing to do is to leave the FileVault user logged in while transporting a laptop to its home site for USB disk connection and backup. If the laptop is lost during transport, the FileVault directory is left unencrypted and accessible by an admin user."

You keep saying this, but for most laptop users another 'admin user' is a non-existent problem. I think that for most people, there is little appreciable security difference between a locked screen and being logged out (and a big difference in convenience).

A.



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Nov 29, '07 03:38:33PM

By that argument, there is no reason to use FileVault at all because all admin users can be trusted.

The fact is, if you are logged in, your home directory is in a mounted, unencrypted state. Just imagine if a laptop containing medical or financial data for thousands of people was stolen and the user was left logged in. What would be announced to the media: "no need to worry, the drive was fully encrypted, but actually, due to laziness, it was left in an unencrypted state, but probably nobody can unlock the screen or log in, although quite a few people know the admin password, come to think of it, and maybe the firewall wasn't enabled, we're not sure?!"

There is a saying in the security biz that convenience trumps security. Your comment embodies that principle.



[ Reply to This | # ]