Saturday, September 22, 2007

Mac laptop stolen at the coffee shop

No, my laptop wasn't stolen, but here's an interesting tale of recovery of one that was. Now this is an unabashedly mac-centric site so the following guide is focused on some OS X based tools, but there are linux versions and windows versions of several of these techniques.

Being a mobile laptop user is wonderful, but having your laptop walk off is a heart dropping experience, not so much for the lost hardware but for the data you've got on it. And not so much for losing the data (you are making daily backups right?) but for the thieve's access to it. If you're super-paranoid, you might even worry if it wasn't a gov't black bag job.
Coffee shops and college campuses are great places to steal things. People are complacent because they consider it "their space" and forget the scale of openness. These places have an extremely high turnover of people all of whom "look like they belong". How do you make sure they can't see those special pictures you have stored on your machine? Encryption and lots of it!

1) First of all, turn on your screen saver password.
2) Turn on "Require password to wake this computer from sleep or screen saver" in your Preferences -> Security window.

Your mega-super-encryption will not save you if I close your laptop, walk off with it, and plug it into a usb drive at my leisure. I have complete access.

What happens here is, they close your laptop, walk off with it, and are confronted with a password when they open it up to look at your stuff. Their only option is to then reboot the machine, but aha! You've also enabled "Disable automatic login" so that they must still enter a password if it is rebooted.

I leave the IR function disabled because I don't want someone to figure out a way to use FrontRow or the relatively obsure IR protocols to bypass my screensaver password. As for secure virtual memory, i'm just not that paranoid yet. All RAM gets wiped after each reboot so they would have to know in advance that I had done all this and not to restart the machine, *then* still have to figure out a way to dump the contents of RAM somewhere readable. That is an unlikely scenario.

For the same reason, I don't click "Require Password for each secure system preference" since I am the only user on this machine and if they get that far, I'm already toast.

3) Turn on File Vault. Yes, it's scary. However it is very careful to verify everything and there seems to be no speed loss. What this does is prevent the attacker from just pulling your harddrive and putting it into another machine or usb enclosure and just reading all your data. For this reason, Open Firmware Passwords are basically useless. The computer is a husk that accesses a hard drive. Why bother with trying to crack a bios password when you can just rip the drive out of it? Does this happen? You betcha! Here's tons of stories about data recovered off of drives sold on ebay.

Now your data is much safer. If someone steals your laptop, at best they'll have to reformat the drive, and at worst, they'll end up with a brick of harddrive that contains a sparseimage of encrypted garbage.

The government could spend *years* and never recover your data. This gives you plausible deniability, which we will discuss in a future post.

4 comments:

Artificial Selection said...

I have finally disabled automatic login and turned on "require password to wake this computer from sleep or screen saver". I feel more secure already.

As for File Vault, I almost turned it on, but then I read the link Apple discussion thread you linked to above. Holy crap! How do you do it? How can you stand the fear? It sounds like FV is horribly bugged. But, clearly, you use it without incident. What's up with that?

Artificial Selection said...

I think I may make an encrypted sparsebundle and put all my sensitive stuff in there instead of using FV. One of the commenters in the Apple thread suggests, basically, that same thing. Then I can make copies of the image and leave them on CDs or even upload them somewhere so I have redundant copies. At least, that seems like a happy medium between the treacherous nature of FV and being completely unprotected, which I was before reading this blog!

ultra toast said...

Good. Require password will discourage casual thieves from looking at your data.
More likely they'll just wipe the drive and resell the machine, but if you're logged in, they may dig through your info looking for identity theft crumbs (or just your porn collection).

ultra toast said...

"But, clearly, you use it without incident. What's up with that?"

Backups :)