Schneier on Security

So do we encrypt our laptops enough to protect sensitive data _and_ leave the machine functional enough to leave messages at OpenDHT?

@mcb:

Well, users of whole-disk encryption have essentially decided that the security of the data is worth more than the recovery of the device. This is because they know (or should know) that if the device is stolen, and found to be unusable without an authenticator, the next thing that will happen to it is that it will have its disk re-formatted and a new OS installed on top. The chances of recovery are next to nil.

Adeona/OpenDHT is for people who value the device more than the security of the data, and want a chance of recovering it. For this to happen, the device necessarily has to be at least partly usable by whoever stole/fenced/bought it, and the more usable it is the more likely it will be used in a way that leaves a trace.

You could possibly have it both ways... Have a boot manager that defaults to booting, say, a vanilla winxp home installation that takes up a few GB of space, and has little loaded on it except perhaps a few programs and, of course, the adeona client. The other boot option (that you would only notice was there if you closely watched it boot up) would be a WDE-protected (or at least whole-partition-encryption-protected) secure OS of your choice.

The really awesome thing, of course, would be to build this client into your BIOS. And add in a GPS.

Not exactly. Computrace lives in the BIOS. If you just reinstall Windows, it will reinstall itself. The only way to get rid of it is to hack the BIOS.

If the thief keeps the laptop and loads Linux, Computrace will remain in the BIOS but won't be able to run. But really, how many stolen laptops are going to get linux installed on them? They're going to get pawned for $100 and sold to someone on the street for $300, chances are they won't even bother reinstalling the OS. If it makes it to a shop first, and the shop nukes the drive and installs Windows, CT will reinstall itself and it will call home first chance it gets.

Unless you know it's there and take active steps to remove/disable it, then the chances of recovery are good. Of course, you still need to make an attempt to find it; it might sit unclaimed at a lost and found or at the police station. You figure it's gone so let your computrace account expire, and so when it gets listed as abandoned a year later and sold at auction, it does report home but by that time the company doesn't bother to report it's been located.

I'm a bit confused as to what this is supposed to do.

If my laptop is stolen, it most certainly will not magically get online until the attacker either replaces the drive, or manages to hack the BIOS drive password and then formats and installs their own OS.

Even if it was stolen in standby (and I treat standby as an "on" state, meaning that I don't let it out of my paws), I certainly wouldn't configure my laptop to hop on any wifi network in range just for giggles, so unless the thief drove by my office or house and stopped long enough for the laptop to signal where it is and then wait for me to come rescue it, I'd never hear from this software or the laptop again.

What am I missing?

"These files are temporarily unavailable. Please check back soon."

First you need to download it successfully.

Heh, and of course this is just the sort of software which would disappear from the world if your recent suggestions[1] on liability were followed through as this is open source software licenced under the GPL ...

[1] http://www.schneier.com/blog/archives/2008/07/information_sec_2.html

It took a team of researches a year to do what a thief can render ineffective in 10 minutes? Well done!

Thiefs, the moral of the story is do not connect to Internet until you change the hard drive after you steal laptops.

@The Dave

You're not missing anything. Setting a BIOS password means the that the thief can't pawn the laptop, so they just drop it in a dumpster ensuring you never get it back. Maybe a more entrepreneurial fence may disassemble it and sell it for parts, but either way, you're not getting it back.

Most people don't set BIOS passwords on laptops. Most people have their laptops wide open to hop onto any open network. Most people don't have a clue about security, so for many, this may well work.

Of course, recovery depends entirely on the attitude of the police. That's one thing Computrace touts as a feature, that they will work with the police to recover a laptop.

I have a pretty good OS X solution to the drive encryption / laptop recovery problem.

I have one non-admin account that I use for day-to-day stuff. This part of my HD is not encrypted. I then have a second non-admin user account for storing sensitive files. That part is encrypted.

With fast user switching, it works pretty seamlessly and well.

@Paul - Why would open source (vendor-less) software "disappear" if software vendors became liable for security flaws in their products?

If you want more information, my colleague provided his detailed review of his expereience and perspective on our blog.

http://blog.calyptix.com/2008/07/retrieve-your-stolen-laptop-with-adeona.html

If I get a PC of unknown origin (sometimes it happens where I live), the first thing I do is complete reinstall from liveCD. Namely, complete wipe of HDs and installing new OS afresh.
So, if this "protection" does not live in BIOS, it will end up in /dev/null.

Although, "never underestimate human stupidity". If thief will manage to log in and then will connect to internet, then you'll get some data.

BTW, similar software already exist for Windows Mobile phones. It writes itself into NVRAM and fire up when SIM card changes. Then it starts to send unattended SMSes to preconfigured phone number and do other nasty things like responding to command SMSes from that number - like rebooting, downloading phonebook, etc. I've heard that this kind of software has helped to salvage some phones.
But, this sheme isn't bulletproof - flashing new firmware will kill protection.

@Milan:

As far as I know, the passwords for encrypted homes in OS X remain cached when you use fast user switching (which is why OS X warns about it). So unless you really log out of the sensitive account, it is theoretically vulnerable. It's good enough in most scenarios though, and also provides much better protection whenever you have to provide some password or face significant hassle (i.e. customs).

So, what about the case of someone surreptitiously introducing Adeona onto your laptop, generating the original cryptographic seed, giving them access to it's location data retrieval. All the sudden They Know Where You Are. Sounds like it can be abused.

Of course the trivial case of loss of privacy is the employer tracking their laptops, akin to cell phone tracking. Then there's the Mata Hari copying that slip of paper the original cryptographic seed was stored on from one's wallet.

works only till the news break and the novelty-factor wears out. the bad guys read news, too. they'd swap the disk or sell the parts for scrap. maybe if it's code in the bios w/o hd access it may work, but still needs network access ... and swapping the wifi module is easy, too

BTW i remember seeing an interview with some high-level audi manager, he said they can make car-theft almost impossible (biometric,rfid,codes etc) but that would increase the # of carjackings (which wouldn't be good for the brand-image - who would then want an audi?)
same with X000 $ laptops - always the tradeoff human cost vs machine cost
besides an 'angry' thief may extract your address, and after some jailtime, may come for a visit ...

If I had Adeona installed and decided to sell my laptop, could I track a new owner ? Yes, I could. If the new owner was not a geek he or she would never realize that I can track what they do, what they connect etc. It is an open source product. If I change a few parts of the program, I can receive much more then just a few bits of information. What do you think about this ?

from Adeona faq: "...swipe your laptop from a coffee shop or your dorm room, and then wants to use it or perhaps sell it on online. Such thieves will often not be technologically savvy... "

Swipe your laptop from your dorm room? Probably a fellow student. Why would he (or she) not be savvy enough?

The producers of this product have to be totally naive. Nice CS project perhaps though.

If my laptop gets stolen a thief will notice he can parhaps use and sell bits of the hardware (HD, memory), but he won't even get to the BIOS because of a hardware lock, even in stand-by. He will thrash it. If everyone were using such a lock (and every laptop offering it), thieves would learn that stealing laptops is useless.

Thief does not need to erase whole disk - it's if enough if he won't connect computer to Internet. You don't need Net to investigate computers' content.

@Tangerine Blue

Today, open source developers put in work (without pay) and give this away to people for free. That's a lot to ask, but some people enjoy programming and others feel an obligation to pay back the community.

If there were liability, we would be asking open source developers to put in work (without pay) and open themselves up to being sued for millions of dollars, all for free. Those selling for a profit could, presumably, increase their price to cover the risk (or cost of insurance), but you can't exactly raise prices (or make up for it in volume) if your product is free!

Introducing a loophole that says those giving a product away for free don't incur liability MIGHT work, but the law would need to be crafted carefully, or commercial developers would split their code into 2 parts: the free part that incurs all the liability, and the very-expensive part that does nothing but allow the free part to work.

Would be convenient if the laptop had a builtin GSM chip that Adeona could dial - sort of a trusted path.
Ignoring all the issues of having a cellphone in your laptop might expose you to...

I installed Adeona on my Mac. I found a serious issue with it. The software takes photos of routinely throughout the day. All that is needed to access that image is the credentials file and a password. It is only a matter of time before this is abused somehwere for purposes other than theft recovery, cyber voyerism, stalking what have you.