
Laptop security: Apple vs. [Insert name here] - huydotnet
OK let me tell you my story:<p>My Mac was stolen, and I used Find My Phone to lock it immediately. A week later, the thief opened the device, and sure he can&#x27;t access it.<p>After two weeks, I lost my hope, sure I won&#x27;t be able to get it back, so I decided to activate the Eraser.<p>Just an hour ago, I received the notification that the device erasing process has started.<p>I lost my device and all my data but not my privacy. And I found on Apple support forums that the device will remain locked as long as it still listed in my Find My Phone.<p>Now I&#x27;m planning to buy an x220 and get back to Linux. I was wondering how can I secure a Linux laptop and make it (somehow) harder for the thief to access my stolen device just like Apple did.<p>Do you have any experience with this? Do you mind to share?
======
ePierre
Long time Ubuntu user here.

The solution to your problem is data encryption. On Linux, there are different
levels of data encryption, whether you want to encrypt the whole hard drive or
only the /home partition (where all of your private files will be stored).

The ArchLinux Wiki has a very detailed page [1] about all the available
options for disk encryption.

Regarding Ubuntu, when you install it on your system, it will ask if you want
to encrypt your /home partition [2] or your whole disk [3].

I got my laptop stolen in France last summer, and as much as this was a pain
in the ass, at least I didn't have to wonder if the thief had access to my
private data (photos, documents and the like) since the /home partition was
encrypted. Hell, the thief probably had a WTF moment when (1) he discovered it
was not a French version of Windows but an English version of Ubuntu running
and (2) when he discovered it was a Taiwanese laptop with this keyboard layout
[4]. Good luck to sell that on the French black market :)

[1]
[https://wiki.archlinux.org/index.php/Disk_encryption](https://wiki.archlinux.org/index.php/Disk_encryption)

[2] [https://www.howtogeek.com/wp-
content/uploads/2012/06/ximage8...](https://www.howtogeek.com/wp-
content/uploads/2012/06/ximage83.png.pagespeed.gp+jp+jw+pj+ws+js+rj+rp+rw+ri+cp+md.ic.Q3l_7oXwbw.png)

[3] [http://www.tecmint.com/wp-
content/uploads/2016/02/Ubuntu-16....](http://www.tecmint.com/wp-
content/uploads/2016/02/Ubuntu-16.04-Installation-Type.png)

[4]
[https://c1.staticflickr.com/8/7501/16104079539_00c39c200d_b....](https://c1.staticflickr.com/8/7501/16104079539_00c39c200d_b.jpg)

------
richardjs
Sorry for your experience.

One standard approach is to set up full disk encryption. A common setup would
encrypt every partitions but your /boot partition, so a thief would be unable
to access your system if it were powered off. (If you're especially cautious,
you can do tricks to protect your /boot partition too, to guard against
tampering, but that's beyond the scope of protecting against theft.)

The catch is if the thief steals your powered-on laptop, the system's still
decrypted (meaning, the decryption key is still in memory). I'd guess locking
your machine is a partial guard (and is what I rely on), but I'd be interested
in learning if there's a better method of protection.

ArchWiki has a pretty good overview:
[https://wiki.archlinux.org/index.php/Disk_encryption](https://wiki.archlinux.org/index.php/Disk_encryption).
I'm happy to try and answer any questions you have.

~~~
hackuser
A few questions:

1) > The catch is if the thief steals your powered-on laptop, the system's
still decrypted

I think the key distinction is if a laptop's storage is encrypted if it's in
some sort of sleep or lock mode. AFAICT most people's laptops are rarely
completely off; they either are fully on, asleep, or sometimes locked.

Solutions that secure data only when the laptop is fully off seem almost
useless to me; in practice the data rarely is encrypted. Do you know of
solutions that address this issue?

2) What about Self Encrypting Drives (SEDs), which encrypt at the hardware
level usually by using the industry standard (AFAICT) Opal?

[https://www.trustedcomputinggroup.org/storage-work-group-
sto...](https://www.trustedcomputinggroup.org/storage-work-group-storage-
security-subsystem-class-opal/)

3) File-level encryption, rather than volume level, would seem to solve the
problems in #1. Files are decrypted only when they actually are in use;
otherwise they are secured. Therefore on most systems, most data files are
secured most of the time. The problem is how to efficiently enter credentials
for every file, or every batch of files, the user opens: Type a password every
time? What about databases or email (e.g., stored 1 file/msg such as in
maildir)? Keep the key on a USB drive that must be inserted and, only when
first inserted, authenticated with a password?

Do you know of file-level solutions?

4) The problem with every solution is implementation. Security is very hard to
implement, and requires high quality execution to avoid exploits. How do I
know that the vendor did it correctly?

~~~
richardjs
I glossed over it a bit in my first post, but the data on the drive is
actually always encrypted. The system decrypts the data on the fly as it's
read into memory, and encrypts when it writes to disk again. This has less of
a performance impact than you'd think.

Also, just to be explicit on the user experience: when you boot the machine,
one of the first things the kernel does is ask for a decryption password. If
you cannot provide that, the system cannot boot further, because everything
but the kernel and bootloader (in /boot) is behind the encryption.

1) So as described above, the storage is always secure, regardless of whether
the machine is on or not. The rub is that when the machine is in use, the
system is actively performing this decryption/encryption. I'm not an expert on
the technical side of it (and it probably differs between implementations),
but I'd imagine the OS keeps the decryption key in memory. This is
functionally an instance of the "it's got to be decrypted sometime" problem,
or a variation of the "analog hole" in DRM. At some point, the user will be
accessing a decrypted version of the data, and if the attacker is able to take
control at that point, he obtains the data.

Let's say I have an encrypted text file (on an unencrypted, regular system
setup). To write to or read the file, I need to decrypt it. Maybe a program
takes a password and opens a text editing window with the decrypted data. If I
care about the security of that data, I'm not going to leave that window open
unless I'm actively using it. I understand that if I leave that window open
and someone walks by my machine, they'll be able to see the contents, because
I left the data in an decrypted state. But I need to have that window open
_sometime_ , because I need access to the file myself. It's the same situation
with full disk encryption--at some point the data will be decrypted for
legitimate use (in FDE's case, only in memory, but still decrypted), and it's
up to the user to protect it during those times.

If you lock your machine (using xscreensaver, slock, etc.) and set it to lock
when waking from sleep (and whenever else), the attacker must circumvent the
lock program before he can access the machine. Ideally this would not be
possible (a lock program that lets someone access the system without the
password is not a great lock), but there's always the possibility of some
vulnerability.

Alternatively, you can always hibernate your machine instead of sleeping it.
Hibernate writes the contents of memory to disk and shuts the machine off.
When booted back up, the kernel finds the hibernated memory and seamlessly
resumes from where you left off. If you set it up properly, the system will
write the hibernated memory to an encrypted partition, so the session cannot
be resumed without the encryption key. The downside is you have to type the
encryption key every time you resume, and my encryption password is a good
deal longer than my normal user account password.

In my own practice, if I'm leaving my laptop at a place I'm more worried about
theft, I'll hibernate it. In normal use, I'll sleep it and rely on the lock
program. Like I said in the earlier post, though, I'd love to hear if anyone
has a better approach, or even an analysis of the security of some common lock
programs.

2) I have no direct experience with SEDs, but I'm under the impression they
decrypt the entire drive when powered on and the password is entered. Or else,
they do the same on-the-fly operations I described above. As such, they would
be vulnerable to the same attacks as above. Their advantage is transparency to
the operating system and better performance. Also see Wikipedia's description
of some of their vulnerabilities: [https://en.wikipedia.org/wiki/Hardware-
based_full_disk_encry...](https://en.wikipedia.org/wiki/Hardware-
based_full_disk_encryption#Vulnerabilities)

3) FDE essentially answers the "how to efficiently enter credentials" question
with "at the start, when you first mount the partition" ;). Aside from that,
file-level encryption solutions definitely exist, and are commonly used. You
can encrypt arbitrary files with the openssl command, and many sensitive files
(such as SSH keys) have encryption built into their standard usage (SSH key
passphrases). Even when running FDE, I keep a passphrase on my SSH keys,
because there's nothing stopping a rogue program from grabbing them during
normal computer use. I'd encourage any other extremely sensitive files to have
their own protection. To quote tptacek, "FDE does basically one thing for you:
it reassures you if your laptop is stolen from the back seat of your car or
left in a cab." [1]. Other steps need to be taken to run a secure system.

However, I don't know of a file-level encryption solution that functions
exactly as you describe. It would be tricky to implement, for the reasons you
described, and others. For example, background programs write to the disk too,
and sometimes what they write contains sensitive data. Are you going to enter
the key periodically for their use too? And will all these programs play nice
with the (comparatively) huge blocking times when writing while you type in
the key?

4) Of course, that's the question with any security solution. Many of the
Linux solutions are open source, so that's at least a plus, but certainly not
any guarantee of security. Short of being a security professional capable of
auditing the complete source, you have to rely on project reputation,
recommendation, and (ideally) someone else's audit. I'm sure lots of people
would like a better answer to this question!

Hope that all helps!

[1]
[https://news.ycombinator.com/item?id=9069669](https://news.ycombinator.com/item?id=9069669)

~~~
hackuser
Much appreciated; thanks.

I'd add one more item to the difficult-to-avoid vulnerabilities, file and file
system metadata. Otherwise a simple directory listing, for a user or a
background program, requires authentication.

My guess is that vulnerabilities like that, including the user access hole
that you describe so well, are the reason that modern OSes (e.g., on phones)
isolate most data so that it is accessible only to certain applications,
usually the app that created the data, instead of the old model of all
applications having access to (almost) all data. Even if for practical reasons
the application needs almost unlimited access to the data, at least you can
limit the attack surface to only that app and parts of the OS.

------
lorenzhs
Why an x220? That's a six-year old device that predates many modern security
features. Secure Boot isn't evil, works just fine with Linux, and TPMs are
useful, too. But the most important thing to do is encrypt your drive, which
you can do with an x220 just as well (just make sure you get one that supports
AES-NI, I believe the ones with a Core i3 don't).

In any case, if you're coming from a MacBook, you're going to hate the x220's
display. It's atrocious, with terrible colours and brightness. It's also a
SATA2 device, so a modern SSD won't be able to reach anywhere near its full
performance. Unless your budget is around $200 I wouldn't recommend such an
old machine. But if you do go down that route, you might like r/thinkpad on
reddit. Plenty of people there who mod these old devices and have advice on
modernising them.

------
Loic
Side remark: All the methods exposed here requires you to have a good
password. In my case, I am using a Yubikey set with a single long fixed
password on it + the normal password I can remember.

So, to login/unlock, I type in my password, plug the Yubikey and press the
button. This ensures I have a really strong password.

Because if your password is "1234password", all the provided solutions are of
no real use.

------
zhovner
The interesting part in Apple's FileVault (plus UEFI password) is a Guest
access called Safari Only Mode. This mode starts special macOS distro from
unencrypted boot partition and allows to run only Safari.app (also
terminal.app) The main idea is that thief log in as Guest, connects to WiFi
and you can locate your device in Find My Mac. But this mode just allows you
to trace device via IP geolocation since macbook never had GPS module like
iphones do, so this geolocation is not accurate enough and not useful. You
will just see the city or district located from ISP. The real useful
information will be WiFi AP MAC addresses (BSSID) located nearby the stollen
macbook. Having this information you can quite accurate locate your stolen
device and return it!

But I can't add my custom shell script into Safari Mode because of macOS SIP
(system integrity protection) that I don't want to disable. Also every major
update overwrites changes on boot partition.

I would appreciate for any help with this project. My goal is to build some
kind of computrace for macbooks that will be much useful that current Find My
Mac.

~~~
renaudg
>But this mode just allows you to trace device via IP geolocation since
macbook never had GPS module like iphones do, so this geolocation is not
accurate enough and not useful. You will just see the city or district located
from ISP.

That's not quite true. IIRC, even without a GPS module, macOS sends a list of
nearby WiFi APs to the geolocation API, which usually allows for a pretty
accurate response (the same you'd get on an iOS device indoors without GPS
reception)

~~~
zhovner
But I wan't to know the exact list of BSSID/SSID and RSSI of each so I can go
to this place and find device by measure signal level of wifi access points.

~~~
renaudg
This is exactly what the API uses to triangulate your position.

------
Intermernet
Have a look at [https://www.preyproject.com/](https://www.preyproject.com/)

Open source, cross platform.

~~~
anonova
This is pretty neat, but do note that the remote wipe feature as described by
OP requires a subscription:
[https://www.preyproject.com/pricing](https://www.preyproject.com/pricing).
But I suppose this isn't a huge issue if you're already using full-drive
encryption.

~~~
ianai
Those prices are nuts

~~~
angry-hacker
Why nuts?

~~~
ianai
$5/mo for something I may never use. It's not even offering replacement
insurance. I get all the music I want for double that (spotify) or all the
streaming (netflix).

------
peterwwillis
Set up your Linux laptop's filesystems to use LVM and LUKS encryption, and
just encrypt the whole darn thing. Works with hybernation, too. Here's
Slackware's simple guide:
[http://ftp.slackware.com/pub/slackware/slackware-14.1/README...](http://ftp.slackware.com/pub/slackware/slackware-14.1/README_CRYPT.TXT)

If you want to be super paranoid, add a keychain usb stick as a required key
to decrypt the filesystem so you get 2-factor authentication.

~~~
yjftsjthsd-h
> If you want to be super paranoid, add a keychain usb stick as a required key
> to decrypt the filesystem so you get 2-factor authentication.

If you do this, make sure to have a backup! Flash drives don't last forever,
and are easier to lose than a laptop.

------
cpbotha
Make sure you get a laptop with a self-encrypting SSD that supports TCG OPal.
This will give you maximum speed sector-level encryption. Read this post on my
nerd-blog: [https://vxlabs.com/2015/02/11/use-the-hardware-based-full-
di...](https://vxlabs.com/2015/02/11/use-the-hardware-based-full-disk-
encryption-your-tcg-opal-ssd-with-msed/) (no ads, no referrals, really just
info) which explains at a high level how SSD-based encryption works.

The open-source msed tool has now been renamed to sedutil see
[https://github.com/Drive-Trust-Alliance/sedutil](https://github.com/Drive-
Trust-Alliance/sedutil) but it still works the same way.

It would still be possible for a sufficiently advanced thief to secure erase
the drive (they need to know how to use TCG Opal to do that), but they will
never see your data.

~~~
fencepost
My list of SSD models that support built-in encryption, from a few years ago
when I was looking into them. Outdated and possibly incomplete, but a
reasonable place to start if you're not just going to pick up a Samsung Evo or
Evo Pro.

Samsung 840 & 850 drives (EVO and PRO)

Crucial MX100 and MX200, but NOT BX100

Sandisk X300s

Kingston KC300

OCZ ARC 100

OCZ Radeon R7

OCZ Vector 180

PNY CL4111

Intel 520 series (128-bit only? Old model)

Intel 530 series (old)

Intel 535 series

Intel 730 series

------
locusm
How does built-in disk encryption on OSX compare to 3rd party solutions?

~~~
pokemongoaway
Good question. I've not seen any serious technical analyses of the MacBook. So
far only that one must enable an option not to store the keys in memory if one
expects to remain secure when the computer isn't powered off.

------
vinay_ys
Choose a disk that supports Full Disk Encrpytion. Lenovo has this -
[http://www.lenovo.com/support/fde](http://www.lenovo.com/support/fde). This
way the encryption/decryption is done by the chip inside HDD and there is no
OS security issue that can compromise the data or performance hit on the main
cpu. Don't forget to set the HDD password in the BIOS. Everytime system boots,
it should ask you for the disk password as first step. If it does not ask the
password, then you have not set it up right.

On the Linux OS itself, follow good personal security practices - use strong
password, use 2FA (see FIDO devices like YubiKey), disable unnecessary
services, install software downloaded from trusted, well-reviewed sources only
etc. If you did the HDD encryption above, there is no need to do filesystem
encryption again in Linux.

~~~
hackuser
> Choose a disk that supports Full Disk Encrpytion ... This way the
> encryption/decryption is done by the chip inside HDD and there is no OS
> security issue that can compromise the data or performance hit on the main
> cpu.

The parent is referring to Self Encrypting Drives (SED), AFAICT. I looked into
them a little recently, but I'm not an expert. Consider the following only a
starting point:

Beware that not every SED tech is equally secure; some are easily bypassed.
The industry standard, and the one I would depend on, is Opal. It usually
requires tools in the OS to activate, but I would be surprised if those tools
weren't available for major Linux distros.

[https://www.trustedcomputinggroup.org/storage-work-group-
sto...](https://www.trustedcomputinggroup.org/storage-work-group-storage-
security-subsystem-class-opal/)

Microsoft provides something called eDrive, which AFAICT (I looked at it
briefly) integrates Windows Bitlocker with SEDs.

> Lenovo has this

SED tech is a feature of the hdd/ssd, not the computer vendor. The BIOS has to
integrate with the SED but I think that is standard, at least in business-
class computers (but double-check before you buy!).

------
creshal
The X220 comes with CompuTrace and Intel Anti-Theft, which provide the same
features on Windows.

One big feature: They also backdoor any new Windows installations on the same
device, so if your hacker wipes or removes your hard disk, his new replacement
install will be bricked as well.

As such, step one will be hard disk encryption (as mentioned by others) so
thieves can't access your data. Step two, if that's not enough for you, is
activating either of the two anti-theft measures to brick the device if the
hacker tries to reinstall Windows.

------
cgarduno1
[https://github.com/cgarduno1garduno/Macbook-
Security/blob/ma...](https://github.com/cgarduno1garduno/Macbook-
Security/blob/master/README.md)

I found this issue a while back on Macbooks. I'll update my github soon with
more details and some images to demonstrate the process. I read this post and
I figured I could whip something together and see what people think.

------
lathiat
As long as you had FileVault enabled (& good password management), that's
basically all you needed.

Without FileVault, you can totally still access the laptop and data. Sadly
Macs do not have anywhere near the device protection that iPhones do - even
the new ones. But data encryption is what you need.

You can do that same in the installer for Ubuntu Linux. I personally prefer
the encrypt home directory option over the full disk option, but there are
trade-offs.

~~~
hackuser
> As long as you had FileVault enabled (& good password management), that's
> basically all you needed.

Does that protect your computer if it's asleep? My guess is most Macbooks are
either asleep or on 99% of the time.

~~~
cimnine
> You may wish to enforce hibernation and evict FileVault keys from memory
> instead of traditional sleep to memory:
    
    
      $ sudo pmset -a destroyfvkeyonstandby 1
      $ sudo pmset -a hibernatemode 25
    

> If you choose to evict FileVault keys in standby mode, you should also
> modify your standby and power nap settings. Otherwise, your machine may wake
> while in standby mode and then power off due to the absence of the FileVault
> key. See issue #124 for more information. These settings can be changed
> with:
    
    
      $ sudo pmset -a powernap 0
      $ sudo pmset -a standby 0
      $ sudo pmset -a standbydelay 0
      $ sudo pmset -a autopoweroff 0
    

See [1] for more macOS hardening tricks.

[1] [https://github.com/drduh/macOS-Security-and-Privacy-
Guide#fu...](https://github.com/drduh/macOS-Security-and-Privacy-Guide#full-
disk-encryption)

~~~
donza
Apple's own Best Practices doc for FileVault 2 is also useful read for those
interested:
[http://www.training.apple.com/pdf/WP_FileVault2.pdf](http://www.training.apple.com/pdf/WP_FileVault2.pdf)

------
bigbugbag
Thinkpads have BIOS options for full disk encryption (requires password to
decrypt at boot time) and boot password (requires password to boot).

------
grawlinson
My laptop was stolen last Friday.

I don't need to be concerned about the thief accessing sensitive documents as
I setup full disk encryption (dm-crypt & LUKS) with this kind of scenario in
mind.

The only negative I can think of is that I cannot make use of tracking
software like Prey due to the entire drive being encrypted. A trade-off that
I'm happy to live with.

~~~
lloeki
> The only negative I can think of is that I cannot make use of tracking
> software like Prey due to the entire drive being encrypted. A trade-off that
> I'm happy to live with.

You could have a separate, minimal OS as a honeypot.

------
deckiedan
Full Disk Encryption is the answer for you.

A side question (sorry):

So if you ever buy any mac device, will wiping it (reinstall from USB disk)
remove it from the Find My Phone system, or does the previous owner (if they
set it up) keep the option of locking the device remotely and holding it to
ransom?

~~~
evgen
The seller has to disassociate the device with their account or you have to
reset the PRAM. A simple wipe and OS reinstall will not be enough. If you are
doing an in-person sale you should insist that the seller login to the machine
with you watching, go to the iCloud pref panel and show that Find My Mac is
turned off and the system has no associated iCloud account. Since having the
device still associated with their account would give you access to their pics
et al this is probably a good idea for the seller as well.

------
Razengan
I remember seeing apps that silently take photos with the webcam and upload
them to a location only you can access, every time someone opens the laptop's
lid and at regular intervals. May even be trivial to write such an app.

------
mekpro
If remote wipe is not possible in Linux, Maybe we also need the feature to
automatically "destroy all data" when the laptop hadnt been logged in for too
long.

~~~
JohnJamesRambo
What could possibly go wrong?

------
outericky
Can't comment on Linux - but curious if the location was discovered as well if
the erase process had started? And if so, did you report it to the police?

~~~
huydotnet
The erase process started, but the location was not found. Actually, I didn't
activate location access on that device, sadly, I didn't think it could be
stolen :( And yes, I did report to police when I lost it, but without the
location tracking, it's hopeless.

~~~
otoburb
Something similar happened to me with an old location-enabled iPad. The iPad
was showing up in a different country, and I was flummoxed on how to proceed
as I didn't feel my local police department was going to follow-up with
separate country.

~~~
huydotnet
True. In my case, I think the thief already sell it to another guy. Poor him,
he got a locked Mac right now.

------
askvictor
Intel's management engine can do this sort of thing (at a level below the
bios), but I think it can only be activated as part of enterprise tools.

------
znpy
There was once this thing called anti-theft or computrace... I remember having
a sticker on my Vaio about that.

What was it? Was it any useful?

------
ForFreedom
Is there a way to encrypt the hdd, an option like mac on "find my phone",
remote erase on windows 10 on dell.

