
What if I lost my laptop? - Murkin
http://blog.itlater.com/what_if_i_lost_my_laptop/
======
MattRogish
Does setting a Mac OSX(10.8) FileVault full-disk encryption + strong password
obviate most/all of those issues? I have been somewhat cavalier when it comes
to laptop security because of that...

~~~
nvr219
I would recommend using TrueCrypt volumes so you can open them on machines
other than OSX.

~~~
aroman
That really doesn't offer feature overlap with FileVault2's full disk
encryption. Though using TC is a great alternative for specific disks and
folders -- not an entire system from preboot through log-in.

~~~
jonknee
TC can do full disk encryption, but unfortunately not on Mac.

------
guylhem
So basically, you didn't lost it. Good for you.

Yet using full drive encryption + daily backups (or dropbox or google drive or
whatever webfs) + having a spare machine at home (so that you can spare the
trip to a computer store and have a machine readily configured) is necessary
if you are a professional.

You seem to have underestimated this last point, with your estimation of a
full day to have a new one ready.

Having a machine setup and ready can sure take hours - which might _not_ be ok
if you have a client waiting. Also, anything else may happen (car broke,
computer shop closed / out of computers). I have noticed that when bad things
happend, they tend to spiral out until sh*t hit the fan.

Your $1k is a lowball estimate. Better have a spare one ready and waiting for
you.

~~~
Murkin
There is a difference between a machine that is ready to help a client and one
that has all my favorite xmonad hot-keys setup.

Now a web-based ssh is enough to do 99% of the work.

But true comfort takes time

~~~
jonknee
> There is a difference between a machine that is ready to help a client and
> one that has all my favorite xmonad hot-keys setup.

Only if you don't take the few minutes to prepare. I have a Dropbox hosted
bash profile that keeps all my favorites synced across machines, there's no
reason why your hot-keys couldn't be stored similarly.

(I have a real .profile for each machine, but its first line is `source
~/Dropbox/conf/bash_profile` which lets me override if necessary and apply
machine specific instructions.)

~~~
jdonahue
I don't know about a "few minutes", but spending a couple hours putting
together some type of system for automatically installing your system
configuration is SO worth it - probably one of the most frustration-saving
investments of your time imaginable as a developer, if you haven't done it
already.

After years of being frustrated at my configuration being different on every
system because I was too lazy to invest a little bit of time into doing
something like this, I wrote a small Python script that creates all the config
files I use (zshrc, tmux.conf, etc.) - it concatenates the 'generic' piece of
each config file with an OS-specific part (for Linux/Mac-specific setup) and a
host-specific part (for system-specific setup) and writes the concatenated
file to my home directory. There are probably much better solutions out there
than rolling your own script to do this, but I like it because I know exactly
what it does and how to add features myself when I need them.

Now when I start using a new system, I just do 'git pull' and 'make all'. It's
extremely satisfying how with this type of setup, in seconds, a brand new
system feels exactly like the ones I've been using for months/years.

~~~
jonknee
> I don't know about a "few minutes", but spending a couple hours putting
> together some type of system for automatically installing your system
> configuration is SO worth it - probably one of the most frustration-saving
> investments of your time imaginable as a developer, if you haven't done it
> already.

My solution of Dropbox synced config files was the few minute solution, but
I'm sure I could be more clever if needed.

------
guelo
Not that these aren't legitimate concerns but unless it's someone like a
coworker or a client I'm guessing 99% of thieves would have no idea what an
ssh key or software code is. The savvier thief is just going to wipe the hard
drive as soon as they can.

~~~
jiggy2011
Maybe , but I could see the emergence of a savvier brand of fence who might
pay extra for laptops with intact data on the basis that 1/100 has something
worthwhile.

------
caissy
Having a full encrypted system solves all of those issues. If not, at least an
encrypted home (such as what Debian provides with their default installation).

~~~
unsignedint
I've tried the both of them and generally I found dm-crypt + LUKS to be
superior. The problem of e-cryptfs (which I believe what Debian uses for home
directory -- at least Ubuntu uses) limit usable file name length because of
the way things are encrypted. While it's not often the case I would exhaust
its length limitation, but if I do, it's bit frustrating...

------
dpcan
Full disk encryption. This is the first thing I do as soon as I get a new
computer. The thought of losing one of my work systems terrified me before.
Now I have peace of mind.

------
ambiate
If I lost my laptop, assuming I would have a backup of the past 15 years on it
(like most devices I own), I would worry about the statute of limitations on
cyber crimes regarding felonies for unlawful intrusion.

When I was a teenager, we used to toy with trojans/viruses and infecting each
other and playing wargames on one another in our group. Out of context, it
could seem very malicious and non-educational. There are probably hard copies
of this in my backups. (When 200MB hard drives were a luxury, and Windows 3.11
for workgroups was a way of life for poor people, and 20 mile walks uphill in
snow to school...punchcards...AOL CD art...).

Things really are so much different now. It seems like a couple of years ago
that AOL was dominating the market. The IIS string vulnerabilities seem like
months ago.

------
jtbigwoo
I've told this one before, but I worked for a company that had a "lose your
laptop and get fired" policy. They also had full disk encryption and remote
wiping capability, but I guess someone up top thought a preventative policy
was needed. I don't think anyone ever got fired and the policy was rescinded
after a year, but it definitely clarified my focus when it came to keeping my
laptop secure on the road.

~~~
msh
so if you were unlucky and got mugged you would be fired, sounds like a really
bad policy...

~~~
jtbigwoo
It was a bad policy for all sorts of reasons, but there had been a really
careless loss the previous year. Something like a hundred thousand customer
credit files were left on an unencrypted laptop in the back of a reeturned
rental car. Like I said, they rescinded it before anybody actually got fired.

You can usually learn more about the history of a company by reading its
employee handbook than by reading its "About Us" page.

~~~
jonknee
The new policy should have been if you have unencrypted credit files on your
laptop (or desktop) you are fired. That's the inexcusable behavior, not the
loss of a laptop.

------
VuongN
Quick plug here if you guys don't mind: our security product nCryptedCloud
protect at-rest data in your dropbox account. Should you ever loose your
laptop and want to make those dropbox files not readable on that device, all
you have to do is remotely revoke the access key (from the device). Without
access privilege, the data is useless. It's free for personal use. Let me know
if you guys have any question or comments.

-V.

------
onosendai
Encrypting everything at the block level has gotten reliable enough that there
are no excuses not to apply it to any and all kinds of mobile devices.

With Ubuntu 12.10 onwards you have the option to use dm-crypt for full disk
encryption baked right into the installer. With 12.04 and earlier you have to
use the alternate CD, but it's still painless. Android also uses dm-crypt for
its FDE implementation, also dead easy to enable.

With a password manager for the rest of your passwords, and an SSH key for
remote system access, you can manage everything only knowing three different
passphrases.

Using FDE precludes theft protection programs, obviously, since an attacker
wouldn't have access to a live OS. But if you're willing to forego a bit of
fun (see <https://www.youtube.com/watch?v=U4oB28ksiIo>) and the chance to
recover the hardware, you have a pretty solid guarantee that no one will get
to your data.

And, of course, daily backups, which is another can of worms. Personally I
just rsync to a remote system and offsite that data periodically.

------
mowfask
Those possibilities are especially embarrassing since doing it a lot better
takes little effort:

TrueCrypt container which contains sensible project-data;

.ssh somewhere on that container with ~/.ssh linking to it;

Keepass for passwords, it's quite convinient.

Maybe Pray or something similar, haven't set it up myself yet...

~~~
baby
Prey really takes seconds to setup. No excuses ;) Don't forget to set it up so
that a guest account is created as well.

~~~
thibaut_barrere
I know that creating a guest account as a honeypot is the recommended
technique, but I wonder if there are (Mac OS X) vulnerabilities to get access
to your main account from the guest account (in which case full disk
encryption would not protect the data).

I guess in the end it boils down to: do you prefer to leak the data, or lose
your laptop ? :-)

~~~
CoachRufus87
Out of curiosity, could you explain why creating a guest account as a honeypot
is the recommended technique? My first guess would be to help identify who has
the machine.

~~~
bschwarz
If there's no way to use the computer the thief will instead wipe the disk
making it impossible to track.

------
suhastech
Assuming my password is safe, I think keychain (on a Mac) takes care of almost
all the issues specified. Except the source code

------
cenhyperion
Daily backups, full disk encryption, and something like lastpass, onepassword,
or keychain.

------
romeonova
Might want to take another look at the article to fix grammar/spelling.

~~~
Murkin
My third language..

will appriciate if you can drop me a line with corrections do @ itlater.com

~~~
dudus
Not sure if this is a real email or a bad and rude joke

~~~
obviouslygreen
Considering the address is on the domain for the original post and the poster
says it's his third language... perhaps, just this once, it's safe not to
assume malice.

~~~
Murkin
Yep, real email. Not sure what the rude part was..

------
quackerhacker
Thanks for the reminder...now to passpharse my mainframe's ssh keys.

Doesn't help that I have the rsas floating around on my iphone, ipad,
putty,...hmmm I need to do a check like this on every device now.

------
mike_esspe
You should always use disk encryption and shutdown(hibernate) your notebook
while traveling. There is no noticeable performance degradation on modern
hardware.

Windows: Truecrypt

Linux: dm-crypt + LUKS

FreeBSD: gdbe

MacOS: probably FileVault

~~~
xenophonf
On FreeBSD you are probably better off using geli instead of gdbe. Geli
supports both XTS and CBC (similar to ESSIV) modes, features data
authentication, and can operate on the root file system. I've used it to
encrypt both UFS2 file systems and ZFS pools (see
<https://web.irtnog.org/~xenophon/blog> for my notes on combining ZFS and
geli).

~~~
xenophonf
Er, sorry, the old one is called gbde. My fingers must be hardwired for "gdb".
;-)

------
johnchristopher
I am being nitpicky but I couldn't find what that asterisk

> * Yes we do all those and more, do you ?

is referencing to.

