Via Securosis I followed a link to a detailed article on laptop security. I think everyone should read this article, even if you’re not of a mind to go to these technical lengths to protect your device from an attacker. Props to the author for also mentioning browser-borne attacks, as I feel most common users are far more commonly catching their own trojans and keyloggers during their own use than any attacker trying to put one on physically.
The steps themselves may seem over-the-top (they fall in the scope of the article title!), but I definitely have to stop and think that there are people who have an expensive laptop as their only device, and they have work/personal stuff on there that is worth money to them and maybe to other people. Me, I probably would write off a stolen laptop, take mental inventory of what I have lost data-wise, and assume that the thief is not someone looking to steal my identity or leverage my browsing history to start SEing me. Honestly, the chances of that happening (and happening to me!) is exceedingly slim. Not because I’m impervious, but because the “common laptop thief” here in Iowa is just looking for a computer to use or to liquidate as quickly and safely as possible. They’re not going to whip out the cold boot attack or boot-loaded keylogger. (How come we don’t delve into wallet security quite as extravagently as laptops? Or home security?)
I also have multiple devices, and partly because of the need to use them all, I don’t have my important stuff stored in just one place on an easily-stolen device (ok, that’s arguable, but you have to get into my apartment…).
Some of this position is certainly influenced by my enterprise experience. To a business, writing off a laptop expense is nothing compared to the expense of losing a laptop with client-sensitive information stored in the clear on it. Or the loss of the common local admin username/password. Or VPN credentials. The only scalable solution is to make such device loss a simple hardware cost that a business isn’t even going to blink twice about.
I will say, though, I still like the idea of a protected USB key as a complement to laptop devices. And I’ve long since lost any skill I had at creating and maintaining one. */me marks that down as a rainy day project this fall.*