As I wrote last month, I love my laptop (particularly with a docking station and dual monitors at my office). The only downside of living on a laptop is what happens if it gets lost. Estimates are more than a million laptops are reported lost or stolen each year. Even the FBI loses three or four a month! Fortunately, I’ve never lost one—but I get the shivers just thinking about it (regular backups help reduce this symptom).
If your personal laptop is lost or stolen, you have to worry about things that can’t be replaced (digital pictures of your children), things that are hard to replace (1,283 songs purchased from iTunes) and things that are private (bank account and credit card numbers, passwords, those pictures from Las Vegas). If a business laptop goes astray, the problems are even worse. A business laptop can contain lists of social security numbers, credit card numbers or medical information. And, there are state and federal penalties and obligations associated with the loss and/or disclosure of such data. It’s enough to give you hives.
Ideally, a lost or stolen laptop would instantly become a brick—inert and unusable except as a door stop. Even better, it would phone home to let you know where it was. Alas, those two wishes are largely incompatible with one another.
The best solution to the “my laptop is missing” problem is called full-disk encryption (FDE) As I write this, the federal government (which has a bad track record when it comes to securing information on laptops and hard drives) has just announced the selection of nine vendors who will provide FDE products to government agencies. My company, which deals with health-related information covered under the Health Insurance Portability and Accountability Act (HIPAA), previously selected one of these same vendors (WinMagic Data Security) to provide FDE for more than 50 laptops.
Here’s now it works. On a normal system, a bootstrap program (a tiny program that only knows how to do one simple thing) in the read-only firmware of your computer loads a larger, more complicated bootstrap program from the hard disk into the read/write memory of your computer and transfers control to it. That program, in turn, loads Windows (or whatever operating system your computer runs) off the hard disk and turns it loose.
In the case of full-disk encryption, every single byte of information on the disk is encrypted (including the operating system), so the normal process won’t work. You have to supply some sort of credential (such as a password or a hardware “dongle” that plugs into a USB port) to boot the computer. There’s a little bit of a chicken-and-egg problem here: If everything is encrypted, where does the program that asks for the credential come from? The answer varies from system to system. Some computers have a hardware module that knows how to handle it. Others load an unencrypted bootstrap from the hard disk, which is still secure if done properly (that is, you can’t bypass the encryption by hacking the unencrypted bootstrap).
The net effect is, without a credential, the laptop is a very nice paperweight. No one, except perhaps the National Security Agency, can get at the data on your hard drive.
Of course, passwords can be guessed, either because they were badly chosen or by brute-force attack. A really secure system will rely on what’s called “two-factor authentication.” For example, bank ATM systems rely on two factors: something you know (your PIN) and something you have (your ATM card). One without the other is useless. Some systems rely on “something you know” and “something you are,” meaning biometric information such as a fingerprint or retinal scan. Biometrics have a variable history of success. Fingerprint readers have been hacked using impressions on a Gummy Bear, and in the Bond movie, “Thunderball,” villains used someone’s eyeball to fool a retinal scanner (though sophisticated fingerprint readers do check the temperature of your finger).
At my company, we’re combining WinMagic’s SecureDoc full-disk encryption with a “something you have” solution from RSA (the security division of EMC Corporation). RSA provides a USB “dongle” with a six-digit numeric display that changes every minute, based on a time-based security algorithm. To boot one of our laptops, I have to supply both a four-digit PIN code and either have the dongle plugged into the computer so it can read the current six-digit value or type in the current six digits along with my PIN. Otherwise, my computer is useless.
Of course, humans can always screw up the security process. We’ve all heard of people writing their PIN on their ATM card, and I worry about our employees losing both the computer and the dongle when their bag is stolen (one reason not to use the USB model of RSA’s device)—although as long as they don’t write their PIN on the dongle, I think we’ll be OK. And there’s always the problem of leaving your dongle at home.
By the way, Microsoft’s new Windows Vista comes with a feature called BitLocker, which does full-disk encryption. I don’t have any experience with it, since we’ve decided to delay moving to Vista as long as possible (next year, probably). BitLocker is only available on the Business and Ultimate editions of Vista.
As you can see, securing your laptop isn’t simple. A nonsecure solution that may appeal to you is the “phone home” approach offered by LoJack for Laptops (www.lojackforlaptops.com). This is software that installs silently and invisibly on your laptop and contacts a monitoring center when and if the stolen laptop is connected to the Internet. Of course, a smart thief would know better than to connect a stolen laptop to the Internet (or remove LoJack before doing so). Fortunately, most thieves aren’t that smart.
In this digital world, it’s important for everyone to have a better understanding of security. An excellent, readable introduction is Secrets and Lies: Digital Security in a Networked World by Bruce Schneier. Schneier, who’s chief technical officer of security company BT CounterPane, also writes an entertaining and informative blog and offers a free newsletter on security scams, events and news, both of which you can find at www.schneier.com.
I sincerely hope you’ll take steps to secure your laptop computer. Given the value of what’s on your disk, it just makes good sense. But even if you’re protected, I hope your laptop never goes missing!
