Hacker News new | comments | show | ask | jobs | submit login
What if I lost my laptop? (itlater.com)
33 points by Murkin on June 4, 2013 | hide | past | web | favorite | 55 comments



Does setting a Mac OSX(10.8) FileVault full-disk encryption + strong password obviate most/all of those issues? I have been somewhat cavalier when it comes to laptop security because of that...


I would recommend using TrueCrypt volumes so you can open them on machines other than OSX.


The idea of transporting your encrypted data seems a little flawed. That opens another failure mode because of the inevitable need for key escrow (never trust a backup to what's in your brain). Yes, you can do that securely. But like everything else you probably won't. So either you'll goof and expose your keys accidentally, or (typically much worse!) you'll goof and lose data.

It seems better to do your backups to a separately-secured environment, either with a distinct (and differently managed) encryption key, or just to a physically secure location without encryption (frankly my preference).


That really doesn't offer feature overlap with FileVault2's full disk encryption. Though using TC is a great alternative for specific disks and folders -- not an entire system from preboot through log-in.


TC can do full disk encryption, but unfortunately not on Mac.


TC on OS X is still crappy. :(

I'd love to have fully working TC on the laptop


So basically, you didn't lost it. Good for you.

Yet using full drive encryption + daily backups (or dropbox or google drive or whatever webfs) + having a spare machine at home (so that you can spare the trip to a computer store and have a machine readily configured) is necessary if you are a professional.

You seem to have underestimated this last point, with your estimation of a full day to have a new one ready.

Having a machine setup and ready can sure take hours - which might not be ok if you have a client waiting. Also, anything else may happen (car broke, computer shop closed / out of computers). I have noticed that when bad things happend, they tend to spiral out until sh*t hit the fan.

Your $1k is a lowball estimate. Better have a spare one ready and waiting for you.


There is a difference between a machine that is ready to help a client and one that has all my favorite xmonad hot-keys setup.

Now a web-based ssh is enough to do 99% of the work.

But true comfort takes time


> There is a difference between a machine that is ready to help a client and one that has all my favorite xmonad hot-keys setup.

Only if you don't take the few minutes to prepare. I have a Dropbox hosted bash profile that keeps all my favorites synced across machines, there's no reason why your hot-keys couldn't be stored similarly.

(I have a real .profile for each machine, but its first line is `source ~/Dropbox/conf/bash_profile` which lets me override if necessary and apply machine specific instructions.)


I don't know about a "few minutes", but spending a couple hours putting together some type of system for automatically installing your system configuration is SO worth it - probably one of the most frustration-saving investments of your time imaginable as a developer, if you haven't done it already.

After years of being frustrated at my configuration being different on every system because I was too lazy to invest a little bit of time into doing something like this, I wrote a small Python script that creates all the config files I use (zshrc, tmux.conf, etc.) - it concatenates the 'generic' piece of each config file with an OS-specific part (for Linux/Mac-specific setup) and a host-specific part (for system-specific setup) and writes the concatenated file to my home directory. There are probably much better solutions out there than rolling your own script to do this, but I like it because I know exactly what it does and how to add features myself when I need them.

Now when I start using a new system, I just do 'git pull' and 'make all'. It's extremely satisfying how with this type of setup, in seconds, a brand new system feels exactly like the ones I've been using for months/years.


> I don't know about a "few minutes", but spending a couple hours putting together some type of system for automatically installing your system configuration is SO worth it - probably one of the most frustration-saving investments of your time imaginable as a developer, if you haven't done it already.

My solution of Dropbox synced config files was the few minute solution, but I'm sure I could be more clever if needed.


Same here (only on github)

My next machine will be Mac or Ubuntu 13.04. (and last time 10.10 -> 12.10 took 1 day).


Not that these aren't legitimate concerns but unless it's someone like a coworker or a client I'm guessing 99% of thieves would have no idea what an ssh key or software code is. The savvier thief is just going to wipe the hard drive as soon as they can.


Maybe , but I could see the emergence of a savvier brand of fence who might pay extra for laptops with intact data on the basis that 1/100 has something worthwhile.


Having a full encrypted system solves all of those issues. If not, at least an encrypted home (such as what Debian provides with their default installation).


I've tried the both of them and generally I found dm-crypt + LUKS to be superior. The problem of e-cryptfs (which I believe what Debian uses for home directory -- at least Ubuntu uses) limit usable file name length because of the way things are encrypted. While it's not often the case I would exhaust its length limitation, but if I do, it's bit frustrating...


Full disk encryption. This is the first thing I do as soon as I get a new computer. The thought of losing one of my work systems terrified me before. Now I have peace of mind.


If I lost my laptop, assuming I would have a backup of the past 15 years on it (like most devices I own), I would worry about the statute of limitations on cyber crimes regarding felonies for unlawful intrusion.

When I was a teenager, we used to toy with trojans/viruses and infecting each other and playing wargames on one another in our group. Out of context, it could seem very malicious and non-educational. There are probably hard copies of this in my backups. (When 200MB hard drives were a luxury, and Windows 3.11 for workgroups was a way of life for poor people, and 20 mile walks uphill in snow to school...punchcards...AOL CD art...).

Things really are so much different now. It seems like a couple of years ago that AOL was dominating the market. The IIS string vulnerabilities seem like months ago.


I've told this one before, but I worked for a company that had a "lose your laptop and get fired" policy. They also had full disk encryption and remote wiping capability, but I guess someone up top thought a preventative policy was needed. I don't think anyone ever got fired and the policy was rescinded after a year, but it definitely clarified my focus when it came to keeping my laptop secure on the road.


Doesn't sound like a good idea to me - what about the unintended consequences?

If an employee's laptop goes missing, you want them to promptly notify IT, so that measures can be taken to plug any security holes.

You don't want them to try to hide the loss - or even to delay, while they try recover the laptop themselves - which they might do if they believe they'll get fired for reporting it missing.


so if you were unlucky and got mugged you would be fired, sounds like a really bad policy...


It was a bad policy for all sorts of reasons, but there had been a really careless loss the previous year. Something like a hundred thousand customer credit files were left on an unencrypted laptop in the back of a reeturned rental car. Like I said, they rescinded it before anybody actually got fired.

You can usually learn more about the history of a company by reading its employee handbook than by reading its "About Us" page.


The new policy should have been if you have unencrypted credit files on your laptop (or desktop) you are fired. That's the inexcusable behavior, not the loss of a laptop.


My guess is top management may have been more worried about employees selling their laptops with trade secrets on them and then claiming they were stolen.


Quick plug here if you guys don't mind: our security product nCryptedCloud protect at-rest data in your dropbox account. Should you ever loose your laptop and want to make those dropbox files not readable on that device, all you have to do is remotely revoke the access key (from the device). Without access privilege, the data is useless. It's free for personal use. Let me know if you guys have any question or comments.

-V.


Encrypting everything at the block level has gotten reliable enough that there are no excuses not to apply it to any and all kinds of mobile devices.

With Ubuntu 12.10 onwards you have the option to use dm-crypt for full disk encryption baked right into the installer. With 12.04 and earlier you have to use the alternate CD, but it's still painless. Android also uses dm-crypt for its FDE implementation, also dead easy to enable.

With a password manager for the rest of your passwords, and an SSH key for remote system access, you can manage everything only knowing three different passphrases.

Using FDE precludes theft protection programs, obviously, since an attacker wouldn't have access to a live OS. But if you're willing to forego a bit of fun (see https://www.youtube.com/watch?v=U4oB28ksiIo) and the chance to recover the hardware, you have a pretty solid guarantee that no one will get to your data.

And, of course, daily backups, which is another can of worms. Personally I just rsync to a remote system and offsite that data periodically.


Those possibilities are especially embarrassing since doing it a lot better takes little effort:

TrueCrypt container which contains sensible project-data;

.ssh somewhere on that container with ~/.ssh linking to it;

Keepass for passwords, it's quite convinient.

Maybe Pray or something similar, haven't set it up myself yet...


Prey really takes seconds to setup. No excuses ;) Don't forget to set it up so that a guest account is created as well.


I know that creating a guest account as a honeypot is the recommended technique, but I wonder if there are (Mac OS X) vulnerabilities to get access to your main account from the guest account (in which case full disk encryption would not protect the data).

I guess in the end it boils down to: do you prefer to leak the data, or lose your laptop ? :-)


The built-in guest account runs on a separate copy of the OS, booted from the recovery partition. It is a limited OS image that only runs Safari.

A normal account would require unlocking the disk, which would expose everything.

Last time I looked at Prey (over a year ago) it didn't support installation to the recovery partition. But they may have added support since then.


If you're already relying on OS X's FDE, it's not a huge step to link your laptop with iCloud. You can then do basically all the things you can do with a lost iOS device: beep, send messages, or wipe it (instantaneously if FDE is on, it just clears the keys).


Out of curiosity, could you explain why creating a guest account as a honeypot is the recommended technique? My first guess would be to help identify who has the machine.


If there's no way to use the computer the thief will instead wipe the disk making it impossible to track.


if you don't need a login to use your laptop, then a guest account is not needed.


Isn't prey possibly illegal in some states due to wiretapping issues?

I don't want to escalate a lost laptop to a felony charge.


That is an extraordinary claim that requires some evidence.


http://blog.internetcases.com/2011/08/29/using-lojack-to-fin...

Apparently, it's federal, not state based.


Thanks for the link. That is sad news.

The key point seems to be:

> the court was saying that Absolute went too far in collecting the contents of the communications being made on the stolen computer.

So location tracking and snapping photos of the user is acceptable, but intercepting the users communication content is not. Unfortunate, and poorly decided, but not complete failure.

As usual, the government reserves rights for itself to perform specific acts that it considers criminal when private citizens engage. (And of course, the government offers no replacement for citizens who are prohibited for taking defensive actions on their own behalf.)


I think snooping on sexual episodes was quite rightly decided to be an invasion of privacy. I think a tort would have likely been more appropriate than criminal charges for it.


Thanks for the link. That is sad news.

The key point seems to be:

> the court was saying that Absolute went too far in collecting the contents of the communications being made on the stolen computer.

So location tracking and snapping photos of the user is acceptable, but intercepting the users communication content is not. Unfortunate, and poorly decided, but not complete failure.

As usual, the government reserves rights for itself to perform specific acts that it considers criminal when private citizens engage.


Assuming my password is safe, I think keychain (on a Mac) takes care of almost all the issues specified. Except the source code


Daily backups, full disk encryption, and something like lastpass, onepassword, or keychain.


Might want to take another look at the article to fix grammar/spelling.


My third language..

will appriciate if you can drop me a line with corrections do @ itlater.com


Not sure if this is a real email or a bad and rude joke


Considering the address is on the domain for the original post and the poster says it's his third language... perhaps, just this once, it's safe not to assume malice.


Yep, real email. Not sure what the rude part was..


I think it's funny and clever use of his domain name. I suppose he uses it as a kind of action inbox /to-do later list.


Thanks for the reminder...now to passpharse my mainframe's ssh keys.

Doesn't help that I have the rsas floating around on my iphone, ipad, putty,...hmmm I need to do a check like this on every device now.


You should always use disk encryption and shutdown(hibernate) your notebook while traveling. There is no noticeable performance degradation on modern hardware.

Windows: Truecrypt

Linux: dm-crypt + LUKS

FreeBSD: gdbe

MacOS: probably FileVault


On FreeBSD you are probably better off using geli instead of gdbe. Geli supports both XTS and CBC (similar to ESSIV) modes, features data authentication, and can operate on the root file system. I've used it to encrypt both UFS2 file systems and ZFS pools (see https://web.irtnog.org/~xenophon/blog for my notes on combining ZFS and geli).


Er, sorry, the old one is called gbde. My fingers must be hardwired for "gdb". ;-)


Isn't hibernation actually a potential risk since the state of the machine is stored, which could potentially provide access to restricted files?


If swap (and hibernation blob) is encrypted, then you'll be OK.

TrueCrypt (when used with Pre-boot authentication) will encrypted everything including swap, dm-crypt/LUKS would configure encrypted swap, and with FileVault (actually even without FileVault) MacOS configures itself to use encrypted swap.


I am being nitpicky but I couldn't find what that asterisk

> * Yes we do all those and more, do you ?

is referencing to.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: