The other day, I got myself a new laptop, all is well and good with it running Ubuntu Dapper.
I saw a article in Linux Format about encrypting the hard drive. I did follow it closely, but was unable to make it work. This was probably due to me trying to encrypt / instead of something like /home so I gave up. But I do wish to try again. I've just downloaded OpenSUSE 10.1, which gives the option to encrypt during the installation.
It [the OpenSUSE install] seems to work pretty well, especially if you're just a single user, you can set a nice long password for /home, and it will ask for the passphrase during start-up, which I was very happy with. But it's got me wondering.
Exactly how secure is this? Let's say I can use either OpenSUSE 10.1 or Ubuntu Dapper .. Say someone steals my laptop. Is it possible they will ever get hold of my data (ie. decrypt it)? Should I be encrypting more than just /home? (I was thinking about /tmp -- but I don't want to keep entering in loads of passphrases on every boot). Is it possible to encrypt / at all? That would be very handy, then it's just one passphrase, and I know that everything is secure, but I know I can expect a performance hit with this (which is not important).
Cheers, Richard.
On Sat, May 13, 2006 at 07:02:11PM +0100, Richard Brooklyn wrote:
Exactly how secure is this? Let's say I can use either OpenSUSE 10.1 or Ubuntu Dapper .. Say someone steals my laptop. Is it possible they will ever get hold of my data (ie. decrypt it)? Should I be encrypting more than just /home? (I was thinking about /tmp -- but I don't want to keep entering in loads of passphrases on every boot). Is it possible to encrypt / at all? That would be very handy, then it's just one passphrase, and I know that everything is secure, but I know I can expect a performance hit with this (which is not important).
Does your laptop not have ide disk password support?, this can effectively lock an ide disk until you supply the correct password.
From what I've read this means the only way to get the data off would be
take the disk to a data recovery expert or certain government departments that may or may not exist ;)
Anyone trying to boot one of the laptops here will end up with a screen with my email address and phone number and be asked for a password, if they can't unlock the disk I guess they can throw it in the bin and replace it, but of course i've also got passwords on the bios of the laptop so they'd have to dismantle the laptop to reset the bios passwords there too. All designed to annoy people who might want my laptop and to increase the chances i might see it again (and at least the data is /reasonably/ safe) Of course, there might be other traps on this kit too ;)
Thanks Adam
On Sat, 2006-05-13 at 19:54 +0100, Adam Bower wrote:
Does your laptop not have ide disk password support?, this can effectively lock an ide disk until you supply the correct password.
Yeah, it has this... but getting around that would be pretty easy I would think. It's like unlocking a mobile phone, it's trivial for the people who know how (and there are plenty of people who know how). Same with a BIOS password. With encryption, the data itself would be much safer.
It's not like I've got anything there of national security or anything, but that's not the point... It's my data, and I want it safe, y'know?
Anyone trying to boot one of the laptops here will end up with a screen with my email address and phone number and be asked for a password, if they can't unlock the disk I guess they can throw it in the bin and replace it, but of course i've also got passwords on the bios of the laptop so they'd have to dismantle the laptop to reset the bios passwords there too. All designed to annoy people who might want my laptop and to increase the chances i might see it again (and at least the data is /reasonably/ safe) Of course, there might be other traps on this kit too ;)
Having the e-mail and phone number on the main screen is pretty neat. I don't think my laptop has this, sadly.
Regards, Richard.
On Sun, May 14, 2006 at 08:20:07AM +0100, Richard Brooklyn wrote:
On Sat, 2006-05-13 at 19:54 +0100, Adam Bower wrote:
Does your laptop not have ide disk password support?, this can effectively lock an ide disk until you supply the correct password.
Yeah, it has this... but getting around that would be pretty easy I would think. It's like unlocking a mobile phone, it's trivial for the people who know how (and there are plenty of people who know how). Same with a BIOS password. With encryption, the data itself would be much safer.
No, it's far more secure than unlocking a mobile phone. To unlock a locked disk you need to /really/ know what you're doing and there aren't that many people who are capable of doing it. The support is built into the disk and the passwords are saved on the physical disk, and you can't bypass it as when the disk spins up it reads the password protected area and won't do anything else until you supply the password. Even swapping the platters into a new disk won't work as it'll start up see the disk is locked and ignore you until you supply a password.
I'm not using it as my only line of defence, this will stop 99.99% of your common theives and give you a much greater chance of getting the laptop back. If you rely on encryption at the OS level then your stolen laptop will have it's disk wiped and a pirate copy of Windows XP installed on it and be resold within days.
The whole point of this system is that it will cost the thief money to go and buy a new hard disk and then dismantle the machine to reset the bios (and it is very unlikely he will have this knowledge), more likely he will end up selling it to a mate for a fiver and it will get broken for parts or the whole lot will end up on ebay where I'll notice it and call the cops ;)
What it does is reduces the value of stolen laptops quite heavily, if everyone did this then it'd make stealing laptops "a bad idea (tm)" as it'd cost a good percentage of the laptops value to get it sorted which would make it much less unattractive to the criminals.
Thanks Adam
On Sun, 2006-05-14 at 09:19 +0100, Adam Bower wrote:
No, it's far more secure than unlocking a mobile phone. To unlock a locked disk you need to /really/ know what you're doing and there aren't that many people who are capable of doing it. The support is built into the disk and the passwords are saved on the physical disk, and you can't bypass it as when the disk spins up it reads the password protected area and won't do anything else until you supply the password. Even swapping the platters into a new disk won't work as it'll start up see the disk is locked and ignore you until you supply a password.
That's neat... I'll turn that on as well. I kinda figured it would be dead easy to bypass that, but what you write makes a lot of sense.
Thanks for the advice. I still want to encrypt things, longer term. But this gives me piece of mind for the mean time...
Regards, Richard.
On Sun, 2006-05-14 at 19:36 +0100, Richard Brooklyn wrote:
That's neat... I'll turn that on as well. I kinda figured it would be dead easy to bypass that, but what you write makes a lot of sense.
Thanks for the advice. I still want to encrypt things, longer term. But this gives me piece of mind for the mean time...
Adam's laptop is a Thinkpad isn't it ?
If that's the case then the built in Bios/Disk security is pretty strong. The laptop is almost completely useless without a replacement chip or a very convoluted method to reset the secure identifier (which I am NOT going to post on a mailing list)
reusing the drive isn't trivial either
Not saying it's unbreakable, but it's a very very good first step.
On Tue, May 16, 2006 at 11:33:32PM +0100, Wayne Stallwood wrote:
Adam's laptop is a Thinkpad isn't it ?
I have a Thinkpad, Kirsty has a Dell which also has password protected disk security.
If that's the case then the built in Bios/Disk security is pretty strong. The laptop is almost completely useless without a replacement chip or a very convoluted method to reset the secure identifier (which I am NOT going to post on a mailing list)
reusing the drive isn't trivial either
Not saying it's unbreakable, but it's a very very good first step.
Yup, applies to both the Thinkpad and the Dell, of course the Thinkpad is a bit more convoluted than the Dell but both are an excellent first step toward discouraging people from nicking laptops.
Thanks Adam
On Tue, 2006-05-16 at 23:53 +0100, Adam Bower wrote:
Yup, applies to both the Thinkpad and the Dell, of course the Thinkpad is a bit more convoluted than the Dell but both are an excellent first step toward discouraging people from nicking laptops.
Except of course a lot of thieves are stupid. They won't realise that you've locked it down until they have nicked it, at which point they will just dump it or sell it to someone who has the facilities to get rid of the password.
I get your point though, if every laptop manufacturer did this as well as IBM and pretty much enforced the security out of the box then we would see less laptop theft. Trouble is given peoples tendency to forget login credentials I am guessing this would cause a lot of support headaches.
Actually I think Thinkpad's have the best anti theft defence, they often look (to the untrained eye) a lot older than they are (because the design hasn't really changed much from about 1995). Put a nice IBM T series next to a shiny silver Packard Hell and I'll bet the Packard gets nicked first (good riddance too, but that's a personal opinion)
On Wed, May 17, 2006 at 12:47:39AM +0100, Wayne Stallwood wrote:
I get your point though, if every laptop manufacturer did this as well as IBM and pretty much enforced the security out of the box then we would see less laptop theft. Trouble is given peoples tendency to forget login credentials I am guessing this would cause a lot of support headaches.
That's sorta my point, if *everyone* did this then it would make nicking laptops a pointless crime without adding a threat of "give me the password or I'll cut ya" which gets you a good few more years in prison. It also means your average thief won't get access to your data (but you run linux anyway, they won't even have a clue) so there isn't much of a problem.
Although, data leakage is an interesting problem given that my "new" camera turned up today from Watford Electronics/Savastore.com which was supposed to have "missing or damaged packaging" as soon as I got it I suspected something was wrong and ran Photorec ( http://www.cgsecurity.org/photorec.html ) on it and found that the previous owner had recorded a picture of his/her baby and a very short video of their baby attacking the packaging of the camera.
Don't you just love data recovery software. If I'd not managed to hit the video record button with the original memory card in I might have got some more data off the card.
Thanks Adam
On 17-May-06 Adam Bower wrote:
Although, data leakage is an interesting problem given that my "new" camera turned up today from Watford Electronics/Savastore.com which was supposed to have "missing or damaged packaging" as soon as I got it I suspected something was wrong and ran Photorec ( http://www.cgsecurity.org/photorec.html ) on it and found that the previous owner had recorded a picture of his/her baby and a very short video of their baby attacking the packaging of the camera.
Reminds me of the time (bearly 15 years ago now) when I wandered into a Dixon's looking around for a fax machine.
Saw what looked like a good one on offer -- "Display Model". Had a look at it, seemed OK, bought it.
When I got it home and was setting it up, I saw that it had a phone number on it (as the number it gives out for "Fax From"). So I rang that number and found its previous owner, who had returned it "because it didn't work".
In fact the reason it didn't work was that the transparent platen through which the document is scanned was stained with streaks of Typex (? Tippex). Where had that come from?
Well, above previous owner had been through the same experience as me -- found a number on it and phoned it, and found himself talking to the previous previous owner who'd also taken it back for some reason! Hadn't sussed out the problem though.
Once I cleaned the platen it worked fine, and works fine still!
Not to mention a guy who posted a Word doc as an attachment to a mailing list I'm on. You can usually get the gist of a Word doc by running 'strings' on it. But then you get all textual material in the file, not just what Word would show you if you opened it in Word. In this case there was a residue from some previous version which included an embarrassing excerpt from an exchange with the Police ... Beware Fast Save!!!
Best wishes to all, Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@nessie.mcc.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 17-May-06 Time: 07:26:57 ------------------------------ XFMail ------------------------------
-
Adam Bower -
Richard Brooklyn -
Ted.Harding@nessie.mcc.ac.uk -
Wayne Stallwood