Via Securosis I followed a link to a detailed article on laptop security. I think everyone should read this article, even if you’re not of a mind to go to these technical lengths to protect your device from an attacker. Props to the author for also mentioning browser-borne attacks, as I feel most common users are far more commonly catching their own trojans and keyloggers during their own use than any attacker trying to put one on physically.
The steps themselves may seem over-the-top (they fall in the scope of the article title!), but I definitely have to stop and think that there are people who have an expensive laptop as their only device, and they have work/personal stuff on there that is worth money to them and maybe to other people. Me, I probably would write off a stolen laptop, take mental inventory of what I have lost data-wise, and assume that the thief is not someone looking to steal my identity or leverage my browsing history to start SEing me. Honestly, the chances of that happening (and happening to me!) is exceedingly slim. Not because I’m impervious, but because the “common laptop thief” here in Iowa is just looking for a computer to use or to liquidate as quickly and safely as possible. They’re not going to whip out the cold boot attack or boot-loaded keylogger. (How come we don’t delve into wallet security quite as extravagently as laptops? Or home security?)
I also have multiple devices, and partly because of the need to use them all, I don’t have my important stuff stored in just one place on an easily-stolen device (ok, that’s arguable, but you have to get into my apartment…).
Some of this position is certainly influenced by my enterprise experience. To a business, writing off a laptop expense is nothing compared to the expense of losing a laptop with client-sensitive information stored in the clear on it. Or the loss of the common local admin username/password. Or VPN credentials. The only scalable solution is to make such device loss a simple hardware cost that a business isn’t even going to blink twice about.
I will say, though, I still like the idea of a protected USB key as a complement to laptop devices. And I’ve long since lost any skill I had at creating and maintaining one. */me marks that down as a rainy day project this fall.*
One thought on “for the technically proficient, an article on laptop security”
I’m kinda with you — the physical laptop should be a write-off. Yes, you can install a dummy OS with software to help you track it back down again, but why bother when you have insurance? As you say, the hardware is trivial compared to the data on the system, at least in the kinds of applications where the level of paranoia in this article are justified. Seems better to me to just have Truecrypt (or the Linux equivalent) boot to a screen that says “If found, call XXX-XXXX”. That’d make it a bit harder to fence at the pawn shop. I’m not knocking his idea, though — he seems more like one of those guys who is doing it just to see if he can, which is a fun way to learn things.
I’m definitely no expert on this but, candidly, I would think that once you have whole disk encryption on your system, the last thing to worry about is someone dipping your RAM in liquid nitrogen and extracting your keys. A hardware keylogger is much easier (and frankly, harder to detect, unless you regularly disassemble your laptop and know what every component should look like), and barring that, the kinds of people who would go to the lengths of cooling your laptop with liquid nitrogen to get at your key are the kinds of people who would be happy to get your personal thoughts on whether waterboarding is torture, over and over again, until you remembered your password. If you did the thumbdrive trick and “lost” your keyfile, I imagine the attackers would make the last 12 hours of your life such that you’d wish you hadn’t. But I suppose that level of paranoia is only rational with people who are willing to die to keep a secret secret.
Comments are closed.