France and secure communication
In the very country that still restricts the use of cryptography?
French newspaper L'Express has published a memo it says comes from Christophe Chantepy, chief of staff to French prime minister Jean-Marc Ayrault, and which recommends French cabinet ministers stop using smartphones for phone calls because they are not secure. The paper's report includes three images of the memo, one for each …
Cligg you should have added that all content is written in "Verla".( Not sure how to spell that word please read on to understand why)
For the unwashed masses : Verlan is a technique in which the french reverse all of the sylables in a word.
The word Verlan is actually the word " l'enver " in reverse = "len" + "ver" = "ver" + len" = "verlan" ( Yes they do change some of the spelling as well but it iis more of a verbal thing than a written one.
The word "l'enver " actualy means Reverse or Backwards.... All very clever really.
"Et les keufs et les meufs dans le RER, la banlieue c’est pas rose"
> Verlan is a technique in which the french reverse all of the sylables in a word.
So you're advocating that politicians speak in incomprehensible ways? A fine tradition that already goes back 40 or 50 years. (Though, admittedly, one that american presidents seem to be particularly good at, so maybe they would understand what was meant - even if it boggles the rest of humanity.)
However considering that we're talking about keeping comms safe from american spies, surely all that's needed to confound and confuse them are a few kg's, cm's and the odd è or é scattered through the text.
"In the very country that still restricts the use of cryptography?"
The use of cryptography is not restricted in France. The importation or exportation of crypto tools by businesses may be subject to declaration or authorization (depending on the tool). That's in line with EU "law" (p'tew) so the UK probably has something similar in place. Prior to 1996 it was different though, businesses had to declare the use of crypto keys 128-bits or longer.
ElReg...Pierre, I know that France liberalised the use of cryptography in the 90ies. But having to declare or getting authorisation for its use is something I still see as a restriction. Can't remember having ever had to register the use of any crypto devices in other countries though.
"But having to declare or getting authorisation for its use is something I still see as a restriction."
AFAIK only the importation is regulated (declaration or authorization), not the use. Again, as that's the direct application of an EU directive (strong auth. is considered "dual use", i.e. potentially used for military applications as well as civilian ones), so I think most of UE countries have similar "restrictions". Of course it only applies to businesses anyway (in France and elsewhere), and only once per tool (GPG for example has been declared once, so a business "importing" it , or exporting a product using it, need not declare anything).
You are 9 years late :-)
Since 2004 anyone can use freely cryptography, restrictions are about import and export of cryptographic means.
Most big commercial companies I have worked with require you to change your password every 90 days.
So you can never remember what it is this month, and end up going for something like your car reg number plus an extra letter that you increment every quarter. It's marginally more secure than a post-it...
Anon, obviously :)
And passwords on privileged accounts every 30 days or less.
Not sure that many companies I've worked for actually abide by their own rules, however. For most companies, it looked like this was in the policies merely to satisfy an audit requirement.
Imagine having to change all the passwords on all your routers, intelligent switches, management consoles, data appliances - well anything that has a password that protects a configuration basically! I'm sure that most companies don't really know the scope of the problem.
The French parliament and the Gendarmerie already both run on Ubuntu:
http://www.businessweek.com/stories/2007-03-12/french-assembly-picks-ubuntu-pc-linuxbusinessweek-business-news-stock-market-and-financial-advice
http://www.ubuntu.com/products/casestudies/french-national-police-force-saves-2-million-year-ubuntu
I live in France, so I read the 3 pages in French.
Passwords: they didn't say "use a separate password for each application". Changing every month is stupid, that's been debunked many times. Changing every 6 months is probably about right.
The papers distinguish between secret and confidential. Secret get its own treatment. For confidential, use a landline. You don't need to encrypt on a desktop PC - its not mobile. But you must encrypt on anything that can be lost or stolen. Lots of organizations should have that rule !
Don't plug anything mobile into your desktop box, even just to charge it. Says a lot about the chaos you can do to a PC if you can corrupt someone's smartphone...
Generally I would say that the memo is basic common sense.
who is head of the Agence nationale de la sécurité des systèmes d'information, he said "before I took this job, I thought you were all paranoid sensationalists" (he was speaking to a roomful of tinfoil-hat wearing cyber/crypto people in Brittany)… he continued…"now I've been in this job a few weeks I apologise as I now realise that you aren't paranoid, just realists"
this was in 2009
plus ça change, plus c'est la même chose
Here's a little conundrum. How do you check if someone has left their password in an insecure place without visiting their desk/office and going through their stuff?
Worst thing I see is people used to worn down by 30day change bringing their coping techniques (post it notes, list in workbook) here. We don't force that frequent changes because I find that just encourages people to put it somewhere quick to access or increment, recycle a few passwords. Yes I know reuse can be mitigated to some extent by policy but there will be written words in the office somewhere and most likely one or more will be passwords, close to hand or in the bin.