Slashdot Mirror
Crypto Leash for Laptops?
timman999 writes "New Scientist reports a new device that will automatically encrypt all the data on a laptop when it is separated from its owner. It uses a small receiver and the user has to wear a transmitter on his wrist."
If it isn't a part of the hard drive it's self then it is 100% worthless..
Anyone wanting to steal a laptop for it's data will find trivial ways around anything that is a "add-on" solution. It has to be a part of the hard drive it's self or all content on the hard drive needs to be encrypted already and the "device" only allow's access.
Do not look at laser with remaining good eye.
Noble says the system would work well with a prototype computer wristwatch developed by IBM. This watch uses the Linux computer operating system and can communicate with other devices through the Bluetooth radio protocol.
...I want the linux powered wristwatch
"Good things don't end with eum, they end with mania or teria." - H. Simpson
Man, NOBODY will buy a stolen laptop if all the previous owner's data is encrypted!
How to steal one of these self-encrypting laptops:
1) steal it (many means available)
2) as soon as possible, remove the battery.
3) profit
Encryption takes a whole lot of time to do, especially on the monster hard drives available today. What might be a better way would be to have the system already encrypted, and just delete any cached keys, etc. when the laptop goes out of range. This will really only stop clueless people who wouldn't have profited off any data on the computer anyway.
Travis
To just have an encrypted filesystem, and make the user type the password when it boots? Less points of failure, less expensive, and less trouble.
Moderation: Put your hand inside the puppet head!
... step away to go to the bathroom, when you come back, you will have to sit and wait for all your 20 gigs of pr0n to finish encrypting :)
Ñ'
This is cool, until of course an enterprising user just tapes the decoder to the laptop.
Pull a Bruce Campbell and cut off hand of owner... :)
messy, and would elevate theft to a felony.
I will never allow that, as what is to prevent them from tracking my location? They can simply have it hooked into a GPS system and send email out (who disallows outbound SMTP from their laptop) and track when and where I use and don't use my laptop. Well, if the device was made by Microsoft, I would use it, since then it would be broken beyond belief and I could have it report to me where everyone else and hack it.
That should help with the U.S. government not being able to keep ahold of their laptops.
http://news.com.com/2100-1020-950155.html
First thought I had: just remove the battery when you steal it, so that any gadget inside wouldn't be able to change something on the HDD. But the article says that the files are always encrypted, and only a cached copy (probably in RAM) is used when the user is viewing or modifying a file.
Time to find another loophole...
Envy my 5 digit Slashdot User ID!
Now, I have this really neat gizmo hooked up to my laptop. I walk to to the kitchen for a glass of milk and a nice loose meat sandwich after not being able to connect to my favorite FTP server. While in the kitchen, I accidently walk beyond the leash range. The laptop encrypts my HDD. Now, after making my sandwich I walk back and can't use my laptop until it decrypts my entire HDD.
Wouldn't this just be annoying?
Objects in the blog are closer then they ap
It must have the fastest encryption engine on the planet to 1) encrypt all data when the signal is lost and 2) decrypt the data when the signal returns so it is ready when the user sits down. Where can I get one of these things? Perhaps MI5 should invest in some. :)
And if they steal both?
A whole new emergence in the field of crime, pickpockets and laptop thieves combining forces, united at last!
If brevity is the soul of wit, then how does one explain Twitter?
This could be quite a pain if people were to make signal jammers that would make the laptop think the person is gone even when he is sitting at the computer.
And, on a practical note, how many laptops, do you imagine, get stolen while they're turned on and running? What about the ones that get stolen when they're sitting idle in their highly attractive "steal me" notebook cases (which is why my company issues backpacks that don't advertise that they contain computers).
Seems bass-ackwards to me.
good idea, but not practical.
who wants to have towear a bracelet to use their computer?
spend money here
see: http://zdnet.com.com/2100-11-950155.html
Although I'm afaid our government will probably have just as hard of time keeping track of the transmitter that goes around the wrist.
So you just wear a wristband and no one can steal your data... A bright blue wristband with the IBM logo on it, the perfect complement to your business attire!
"The amount of intelligence on this planet is a constant. The population is growing." -Cole's Axiom
My keys, wallet, watch, PDA, Blackberry, Cel AND my crypto leash. Great.
Anyone who is concerned enough about their laptop security to consider bothering with one of these should already have good crypto security in place. And preferably security where the 'key' can't be stolen off the nightstand. These will attract the gadget happy crowd and CFO's who don't understand info sec and want to see a physical product. Anyone who feels the need to be able to point to their security device shouldn't be making security decisions.
I want one that starts the gps broadcast when im away for to long. Go and get my stuff back.
So instead of simply theft, we get muggings for recievers instead. Nice.
To write a haiku - all you need is the correct - number of syli...
They used to do this with handcuffs and briefcases. The only problem was that too many curriers ended up sans hands.
There's no way that they are going to encrypt everything in a reasonable amount of time (even just an xor would take forever on a 40GB drive), and if they did, there's no way they could decrypt it fast enough on your return.
The implication is also that data is in an unencrypted state for some period, a risk in itself (just pop the battery when you take the laptop, remove the hard drive and attach to another system to see what's unencrypted). An encrypted filesystem seems more appropriate if you are really concerned about security.
Does anyone know how this product really works?
Can You Say Linux? I Knew That You Could.
Now I can sleep better knowing my laptop information can't be read by the theives that stole it!
Man, I can finally get careless with my laptop in airports!
Where do I get this upgrade?
I'd probably do it with reformatting the HD in mind. I don't care what kind of information is in there, unless it belongs to somebody who is somebody. So I wouldn't care if it had anything that encrypts the "valuable data". Using any data that you steal (credit card numbers and the like) will probably get you caught faster.
Heroscape, it's like legos combined with anachronistic wargames.
Better yet, don't walk away leaving it lying around with the screen on and open files showing.
A beowulf cluster of these?
What I don't understand.. Given the potential for the loss of a laptop, why aren't government laptops with sensitive info REQUIRED to be encrypted?? Aren't these losses the perfect example that government at the highest levels is incompetent when it comes to security and handling sensitive info?
In some cases it is bad enough that they won't even talk about the contents, etc.
I wouldn't think of putting business and personal info on my laptop outside of my encrypted partition, let alone national security related info.
The other question.. What sort of disciplinary action occurs when a laptop is lost? Do they just slap the wrist and give them a nice new one?
Encrypted file systems: not new
cached password: not new
wireless proximity security dongle: not new
combining them: not altogether new
coolness: yeah sure
Sounds just like a PGP key, but radio-transmited instead. Pretty ingenious IMO
"It could be useful for the UK's Ministry of Defence, which has admitted to having lost track of nearly 600 laptops." Excuse me? If you've lost 600 laptops, I don't care how elegant your encryption solution is -- you've got other issues. Technology is not the panacea to cure cruddy management.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
The problem is that the data is kept unencrypted UNTIL the user leaves. What if the machine goes down, say due to a battery going flat? Then you have unencrypted data setting on the hard drive.
The only SAFE way to do this is to keep ALL data in non-volatile storage encrypted, and only decrypt into volatile RAM. The keys for the decryption need to be physically seperate from the machine (in the "watch" that the user wears), and the means of communicating those keys to the machine needs to be as secure as possible (i.e. no Bluetooth, no IrDA - preferably a capacitively coupled system requiring the user to touch the machine to transfer the keys.) And there should be a passphrase required to unlock the keys from the watch, so that even if the watch is stolen, without the user's passphrase it is useless.
The machine needs to "zeroize" (that's the industry accepted term, but gak! I hate it!) as soon as the user breaks connection with the machine - that means IMMEDIATELY flush all RAM!
Otherwise, this is little better than a locking screen saver and some token security - it can and will fail because the weakest link (the user) will screw up at some point - he will leave the machine and watch in the hotel room while he (swims|showers...) and BANG - there's your window of opportunity.
www.eFax.com are spammers
This is a great idea. It's very similar to a device I'm about to finally get around to developing.
The idea is similar to those wireless child tethers that sound an alarm when the kid wanders more than 20 feet or so away from the parent. In this case, the transmitter is a belt-clip or wrist-worn device, and the receiver is a small USB device.
Mostly targeted towards sysadmins or people who need computer security in a relatively public area, the device would lock your station whenever you were more than a few yards away. When you arrive back at your station, you can either type your password or have the receiver automatically unlock the screen.
Obviously there would need to be good encryption, preferably in the computer itself so no one can unlock your computer with a doctored USB key. The transmitter and receiver can use a system of rotating codes to prevent wireless capture.
The main point is simply to prevent the overly curious from messing with your computer while you walk down the hall to grab another Mountain Dew. Of course you can lock your screen before you leave, but do you remember to do it every time?
...
Great! Now you can get proximity detonators off the shelf!
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Would it render the user unconcious? I guess thats why they chose Linux to eliminate fears of the BSOD.
Who gives a shit about the laptop, for personal use you might but corporate clients (the people who buy probably 95% of laptops) the data is worth way more than the laptop. For us losing a $3k laptop is nothing, when you buy $90k suns and making a new chip mask is $800k a $3k laptop is a drop in the budget bucket. Now the data and loss of proprietary info to competitors could be potential losses of hundreds of millions, that should kind of put things in perspective. If Bill Gates, John Chambers, Larry Elllison or any number of other other CEO's laptops were stolen the potential for blackmail or selling of corporate secrects could be in the billions.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
bla
So what happens when somebody else in your own office decides they want to read your files? Bluetooth's range, while short, is still long enough to permit somebody nearby to access the encrypted files. All they need do is have the laptop physically near the bracelet.. a few cubes down, upstairs, downstairs, around a corner, whatever, while somebody's in a meeting or looking for their lost machine. It could be done where I work, anyway.
Having worked in classified special access projects for 11 years there are two thing to consider:
1) classified information is still classified whether it is encrypted or not. You don't just walk away from it unattended. True classified information is transmitted over the internet everyday via NES but you never know where the packets are.
2) processing of classified material has to be done in an approved area. Most everyone around you would also be cleared.
I guess you might find an application for this in a battlefield environment.
"player 4 hit player 1 with 0 stroms"
The data is always encrypted on the hard drive, and is only decrypted at the cache. So steal it, remove battery, submerge in liquid nitrogen is the only way to get even a little bit of data out of it. The really cute exploit is to tunnel their challenge/response over a network of some sort (say, cell phones), and just have someone follow the legitimate user around until all the information is decrypted.
The research paper on this will be presented at ACM MobiCom 2002, the premier conference on wireless networks and such.
Well, they don't have to, you just did.
Note to self, steal backpack and briefcase.
To write a haiku - all you need is the correct - number of syli...
The person wearing the watch doesn't have to be the owner.
It seemed to me to be a lot like those security systems based on a fingerprint -- the finger doesn't have to be attached to the owner to give access to the presenter.
I thought the best security had three criteria -- something the user has, something the user knows, and something the user is (physically). I'm sure someone can elaborate better than I.
To-do List: Receive telemarketing call during a tornado warning. Check.
There is a problem shared between this device and the new wrist-mounted child-trackers announced the other day:
If a criminal really wants your data or kid, they can still take it from you and now the method they have to use to take it really sucks for you or your kid... ouch.
I'm sure it would deter most criminals from even trying with you or your kid and just move on to the next one, but if you're the target, and they're determined, you'll soon know the sound of one hand clapping.
If you can duplicate the signal, then you can steal the laptop and have all the poor schmucks dirty laundry too.
Heroscape, it's like legos combined with anachronistic wargames.
-Pre-encrypt the entire hd/file system
-to access anything, query the key from a pcmcia card
-the pcmcia card holds the key in RAM and automatically 'forgets' the key every 15-30 seconds
-the pcmcia card queries a transponder worn by the user to refresh its memory
-the card and transponder have a VERY short range (1 metre MAX)
Therefore, the machine is unuseable when the transponder-wearing owner is more than 1 metre away for more than 30secs, and is equally unuseable should the pcmcia card be removed.
Infinitely cyclic random keys (like those used for 'secure' garage door openers) could be used to decrease the cahnce that the radio signal could be effectively recorded.
Seems like a better solution.
It sounds like a good idea, but only to protect sensitive data.
I doubt that the average laptop stealing thug cares if they can read someone's e-mail. As long as the OS and applications still work who cares if the data is encrypted. The thief will still be able to steal and sell a working laptop.
As always it is difficult to discern the technical details of how a system works from a news article. If you are interested, I urge you to read the technical paper. My papers
FYI, the data sits on the disk encrypted and in the page cache decrypted. Keep in mind this is a technical paper and a research prototype and not a product.
Read the article. The data is encrypted except for what's cached.
If I didn't leash my laptop, it would probably run off and tear up my neigbors garden. At least they don't make me pick up after it.
Where does the school board find them and why do they keep sending them to ME?
A laptop in each hand, connected by a string running through their sleeves. Twice the computing power, and no more missing laptops!
Just a thought.
Don't give your laptop the name Necromonicon if you plan on using the crypto leash.
Heroscape, it's like legos combined with anachronistic wargames.
Encrypting on the fly costs to much time. It might help in the case of laptops which are not known to be protected, but if you steal the machine from someone who is targeted, you probably know if it is protected. If it is, you pull the hard-drive and read it on a separate system. The device described here wouldn't get a look in.
Your encrypted filesystem is only relatively safe as long as the keys can be removed. Note that a system that stores the keys in a file on another filesystem is easily compromised. The keys must either be on a separate memory (USB dongle or Smart Card) or if in the PC, stored in extremely volatile ram (erased if the system is tampered with by an unauthorised person).
True true, I was thinking more for personal as a 3k loss for a laptop would be a serious blow to my budget. We don't trust our CEO with corporate secrets or any management laptops for that mater. Personal blackmail would be a concern.
What they dont tell you, is that the "wristwatch transmitter" works both ways. When the master is out of range (away from his desk) he is no longer on the clock. His payroll data is encrypted until he returns to his desk and gets back to work.
...they need them yesterday.
Oh, I can't help quoting you because everything that you said rings true
You obviously didn't read the article.
If tits were wings it'd be flying around.
That way, our credit card would lock up and she would be in non-shop mode!
We were somewhere around Barstow on the edge of the desert when the drugs began to take hold. - HST
I guess my radio transciever I just built from Radio Shack coudn't possibly scan for the frequency, could it. Oh no, I'll never get that information now.
Say you have 2 laptops utilizing this sitting a few feet apart. What would happen if it's picking up a legitimate decrypt signal & another incorrect one? Hmmmm....inquiring geek minds want to know.
... is worse than insecurity itself.
So the laptop determines how far away the user is by the signal strength of a wristwatch radio widget, worn by, let's say, Bob? If Alice knows what frequency Bob is broadcasting on, she can simply clandestinely relay that to Carol, who will approach the laptop while retransmitting Bob's signal, and be granted access to the goodies inside. This wouldn't be hard to do at all.
No security system is perfect, but thinking you're safe can lead to much more devastating repercussions than knowing you're not.
This system seems to trade a lot of security for a little convenience. I sure wouldn't trust my data to it.
He who refuses to do arithmetic is doomed to talk nonsense.
"Seems bass-ackwards to me"
No. You are bass-ackwards.
Why don't all you stupid fuckwits read the damn article. Oh I forgot this is slashdot, where you can't be bothered to read the details before spouting off about something you know nothing about. Christ, it's not even a NYT article (you know, the one that's so fucking difficult to register one freaking time with bogus information that somebody had to write a fucking script to do it for you).
The data *IS* encrypted on the harddrive. It's unencrypted in a cache for fast access when the user is within range.
... A laptop, or a bracelet?
I'd have to bet that getting issued a replacement bracelet would not be a trivial exercise.
Get a nice, strong RF generator in the room with all those paranoid stock traders and watch all the laptops encrypt.
New way for DOS attack!
Then, when their battery in the "watch" dies? Or better, xmits the decrypt key over WAP or some such and is snooped and possibly CHANGED.
And the non-volatile RAM that stores the decrypt key proves to be a bit more volatile than thought?
etc., etc., etc.
Learning HOW to think is more important than learning WHAT to think.
what if the signal drops due to interference (like cell phones)? or someone could jam the signal while I'm sitting there doing some work, thereby locking it up--plain ole DoS....
Windows 2000 (And I assume XP as well) allows you to encrypt the filesystem with NTFS partitions. Of course this is probably only as strong as the user's password, which hopefully is not blank.
rooooar
For all my sensitive information, I just use my wife. She keeps all my appointments, scheduling and list of chores for me to do in her head. She already has built-in encryption because as everyone already knows, there is just no comprehending women.
...even if the headline is wrong. Encrypting a (say) 40GB drive like I have in my Vaio would take an hour or more. The battery can be removed in 10 seconds to stop that.
However the device is essentially a crypto-filesystem that uses a wireless token. Except for the obvious attack of stealing the token as well, this is pretty secure. The problem with a conventional crypto-filesystem is that it usually remains open until reboot or keeps bothering the user with requests to give the key again. In the first case a thief just needs to keep the laptop running in order to copy the data.
Barring implementation problems, I don't see this being hackable in any "easy" way. Of course there might be all kinds of implementation or fine-design mistakes. And of course you can still steal the token as well or "convince" the owner to cooperate. The advantage of this device is just that an easy attack (Stealing a running laptop) does not work anymore. If you use a conventional crypto-fs and make sure your laptop is well-guarded as long as it is on, you are as secure. Probaly more so.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
If there's no activity for a while everything gets decrypted.
Sigh. I meant encrypted, of course.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
1.) "I lost my unlocking wrist bracelet/watch!"
2.) "My unlocking wrist bracelet/watch isn't sync'ing with the hard drive! It's not being recognized!" (and everything remains encrypted and un-readable, even to the owner... Bluetooth can be dodgy enough on its own sometimes as it is...)
3.) The only way money could be made from this is if it costs a fortune, which most people aren't going to be willing to pay.
4.) "To speed up the encryption process, most of the files is already encrypted and only a cached portion is automatically decrypted when the user is in range" --- I don't truly understand this, but it sounds like they are saying that everything will be encrypted already, and even when "decrypted" it won't really be usable until it is decrypted; such as decrypting an mp3/ogg before you can play it back, and when you're done it'll get encrypted again. Overall, it doesn't sound very "performance-happy".
See the potential problems? Still, maybe after a few "production quality releases" and a few patches/upgrades (that require you to buy new hardware), it will be usable. I guess we'll wait and see if this actually hits the market or not, and how well it does
Are there any existsng GPL folder/drive encryption programs someone could use now? In Windows? With decent performance?
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
I'm an American. I love this country and the freedoms that we used to have.
the magnet door coil in cryptonomicon is the coolest.
I want those all over the place.
my credit cards would never work in person.
There are some odd things afoot now, in the Villa Straylight.
On the laptop, I have an encrypted home directory. I never suspend my laptop, so I always log in/out when I use it in different locations. If someone stole it, they'd have a nearly impossible time getting to my personal files.
On the fileserver I use it via Samba and NFS mounts. This is why I chose BestCrypt over some other kind of encrypted filesystem/volume, actually. My wife can mount a volume file from her Windows machine via Samba and I can mount them via NFS (or via Samba when I'm booted into Windows game mode).
Best part is that there's no batteries, bracelets, rings, whatever to worry about. Just remember your passphrase and you're good to go. I'd recommend BestCrypt to anyone.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
But maybe the IRS and the State Department could use this.
Oh, hell... they'ld just loose the damn watches, too.
"Love is a familiar; Love is a devil: there is no evil angel but Love." --William Shakespeare ('Love's Labors Lost')
How about a dead-man's-switch, maybe a windows service which runs in the background and formats the hard drive if you don't run a hidden program every week or something. Well, on second thought, my users can't remember their user ID's, let alone something like this.
..because I use Windows xp and nobody can boot up and see my data unless they know my password.
err.. or maybe if they just create an NTFDOS diskette.. damn.
Live web cams
So.. how different would this be than tying some wireless dongle to a proven and trusted system like PGPDisk or BestCrypt? That uses encrypted volumed to secure your data, and allows for hotkeys to "unmount" them. That seems like the way to go.. not all of this caching and bullshit.. linux and wristwatches.. jesus.
Comment removed based on user account deletion
Just use rubberhose with a wireless receiver...
And you thought having doublespace mucking up your data was bad!!!!
It seems like this could present some fairly serious problems. I'm curious what the effects would be of suddenly rendering the filesystem of a running system unreadable (because the user is out of range and the keys have been destroyed in memory). It would seem to be approximately equivalent to yanking the hard disk out of a running machine (electrical detail aside).
Does anyone have any details about this? Perhaps the encrypting filesystem layer it uses simply blocks on any fs API calls until the keys are re-established? Still seems like it could cause problems.
Why bother with the wristwatch? Scramdisk (free) and Drivecrypt (commercial) already do this in software, using strong passwords.
1. Use the software to encrypt your disk contents
2. To decrypt (on the fly), you need the password
3. Set your screensaver to lock, with a (different) password.
Voila. Done. Rebooting to get by the screen lock unmounts the drive, rendering it useless.
This is really, really easy. What's the big deal about all this gadgetry nonsense?
oh man, deja vu..
Of course, there's still a good chance that someone has stolen my laptop, and even less of a chance that anyone will look at the files on a lost laptop and get it back to me. My data is protected but still lost to me. As is my laptop. With all that technology, why not just save my critical data to the watch? It's not on the laptop so there's no chance an attack will break the crypto. And I still have my copy, unless the thief gets my fancy computer watch; when I get to another system I will not have lost my work.
Seems to me like NT and XP already have some encryption in the NTFS file system, but most users refuse to use it 'cause you have to think and type in a password when you start to use your computer. Is a techno watch the answer? Should your laptop start encrypting your files every time you go to the bathroom? Will this really accomplish anything when the average user is about as bright as the power led on the laptop when it's running on battery? If you can't store the data on the watch, why not just have the smart watch do the login, and make sure that proper sharing rules are enforced on the files?
I'm an American. I love this country and the freedoms that we used to have.
... what would happen if there was quick back and forth wrist action (with the device being on your wrist), this wouldn't damage any of my sensitive business "mpegs" and "gifs" would it?
So foreign spys can just look at the remenants of what used to be on the hard drive. Unless they wipe the decrypted data 20 or so times . . .
Maybe because most users tend to use passwords that are trivial to break?
And when forced to not use a trivial password they then write the password down on a sticky pad that gets attached to the notebook or put in the notebook carry bag?
Linux on the wrist-watch and not the laptop means the problem is only half-solved!
Tell O'Reilly not to abandon open-source!
Ought to be a damned moderator choice for that.
You, sir, are yet another bozo here who did not read the article. The hard drive is always encrypted. Only the cache is decrypted; power off and there is no decrypted data anywhere.
RTFA
Infuriate left and right
Read the fscking article. The hard drive is always encrypted. The cache is decrypted.
I swear this is one of the worst articles for write-only idiots.
Infuriate left and right
A whole-arm Beowulf cluster of those...
in which it explains that the hard drive is always encrypted, only the cache is decrypted.
/.ers can read the /. summary, know how inaccurate these summaries are by definition / tradition, and STILL not read the article itself?
Does anyone know how so many
Infuriate left and right
No need for hitech when a simple mail order from a chemical lab will do the trick.
Infuriate left and right
For protecting the laptop, not the data, a friend uses PC Phone Home. Any other recommended security products to protect the physical laptop?
Only the data is encrypted. The rest of the laptop is fine. What happens if you format the harddrive and then sell it?
There's also the actual radio frequency broadcast in itself. That is probably broadcasted clear (article doesn't say, either that or I just missed it)through the air. Just sniff it the same way you can sniff yourself into WLANs and reproduce it.
With smarter technology come smarter crackers. Not much you can do about it.
If a and b in c, and a can create b, and a can create a, and b can create b, and b cannot create a, then a created c.
The communication between the watch and the laptop is, itself, encrypted. The key pair could be established in the hardware of both chips, and would be destroyed upon attempts to physically access the chip.
When the laptop comes back into relation with the watch, the encryption chip wakes up the l;aptop, decypts the RAM cache, and life goes on.
See that wasn't that hard to understand was it.
better not lose the crypto-watch or you won't be able to take your laptop anywhere until you find it!
There's no "I" in Linux.. err..
except they used smart cards to hold your decrypting information. All encrypted data passed through the card and was decrypted on the fly. I never tried one but wanted to. Just remove the smart card when you give the laptop to someone else and they can't use your encrypted data w/o the card.
I've been advocating for something like this for quite a while, with only a few differences in implementation primarily in the area of what happens when the key is removed.
fencepost
just a little off
Anyone know what the current status of crypted filesystems is?
Or the ability to mount a crypted file via the loopback device and use as a filesystem?
I think your estimate of the % of corporate users is seriously off, but it hardly matters. The bottom line is that (doing my own made up estimate) if a laptop is "liberated", 99%+ of the time it's just going to be reused, even if the information is more valuable than the hardware and even if it is Larry Ellison's. And unless the thief if really clueless, the data will be wiped before the sale so that the new owner doesn't easily track down the old owner. But in those few cases where the device is taken for the information it, the thief will certainly not be stopped by this technique from getting those corportae secrets with a value that could be in the billions. About all this gimmick might do is convince the user that the data was safer than it really is.
I'm an American. I love this country and the freedoms that we used to have.
Gimic, hmm strong crypto that is easy to use and is basically idiot proof. That is a weird definition of gimic. I think easy to use encryption is what we need more of, not less.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
And one nice side effect of this for the discerning footpad: A simple radio receiver listening for the bluetooth watch can be used to alert you when someone is bringing a highly valued prize your way!
I'm an American. I love this country and the freedoms that we used to have.
This sounds like some worthless trinket, that somebody will figure out how to crack real soon.
As for good disk encryptin how about this for Desktops..
A modified IDE-UDMA133/SerialATA/Raid card with
buit in encryption hardware that would require:
Fingerprint Scan/Smartcard/Retinal Scan/password
or token. (All if you are really Parnoid)to
access the drives data.
The Encryption is handeled by special onboard
Chips and the whole PCBoard is covered in that
black/grey Epoxy crap so you can't access or see
the componets.
The Authincation for the Controller would be a
BIOS option (Like on SCSI Cards) and would let the OS boot when you entered the correct PW etc.
Once the OS is booted you could use the same
authincation options (card/pw/eye scan) to unlock
the PC if you go away from it.
Because the Encryption is handeled by a highspeed
Encryption system (with Lots of Memory) it would
encrypt/decrypt data on thefly. with the data
always being in an encrypted state.
The Encryption Keys/Hash etc. could be user changable, so no 2 cards use the same key/hash
to access data. The strength should also be
user selectable with the minimum hash length
being 256bit with a max of around 2048bit or more..
Has anybody ever heard of a company that has such
a product? What do you all think of this idea?
OK, you and I differ in the use of one word in what I wrote. Shall I take you that you agree with everything else I said?
I'm an American. I love this country and the freedoms that we used to have.
While the solutions he describes (at least by themselves) aren't necessarily a full security solution, he's right that this is no more secure than existing technologies that are used along with an encrypted disk for data.
Security can be three things: something you know, something you have, and something you are. The wristwatch described here is no more secure than a smartcard reader, espescially if it doesn't involve use of some kind of password or biometric.
What's novel about this solution is threefold:
1.) The encryption occurs when the user goes out of range (essentially a more accurate screen saver lock).
2.) Data in memory on the laptop is encrypted when the screen saver lock is started (i.e. when the user goes out of range).
3.) Data begins to be decrypted when the user is back in range. This is more of a performance thing, and is actually LESS secure, because it is security based solely on what the user has. It would be more secure to wait until the user enters their password AND is within range, or better yet wait for the user to enter their password, scan their fingerprint, and be within range.
So:
1.) is only security-enhancing if you can't convince your users to force-lock their screens when they're away.
2.) is a legitimate security enhancement.
3.) is a performance enhancement of an old security method, and is actually security-disabling as it only relies on what the user has, and not what they know or are.
My suspiscion is that the watch thing is just a red herring for the real security enhancement of encrypting memory while the user is away.
GREG
Just think about using this in a military setting:
Owner: You can have the data on my laptop, if you pull this watch from my cold, dead wrist.
Enemy: Your proposal is acceptable.
Next, the silly corporate users forget their passwords, and at the same time they used a really secure one. Now the drive is fubar and all data is lost.
Next up, the user lost/breaks the key. Or even the key goes fubar itself. All data is lost again. Grrrr..
But then again, whats stopping the attacker/theif from recording the Key exchange somehow and duplicating it later back in the garage.
Being called a dork on Slashdot must be like being called the retard in special ed.
This sounds pretty cool but what stops someone from stealing the transmission codes while in the presence of the owner and using a reprogrammed transmitter with the correct key to bypass the encryption. Another random thought why don't we just stick a GPS transmitter built into the system that gives the computers encrypted co-ordinates at bootup. Then if the user lost his computer he could ask verify its co-ordinate using his decryption key in his transmitter.
Ask the Gov or Big Biz, to them- 99% of the time- the data is far more valuable than the machine.
every day http://en.wikipedia.org/wiki/Special:Random
"so- how'd you lose you hand, The war?" "nah- I carried a milspec laptop in 2004"
every day http://en.wikipedia.org/wiki/Special:Random
Assuming that the other things I'd be looking at were met (light weight, mostly), I'd seriously consider one of these if they were no more than an extra hundred to two hundred dollars. I'm not a fan of the wireless connection - I'd rather see a USBish or iButtonish physical connection - but that's a fairly minor point. If someone starts making these and they have reasonable success, I'd expect to see other manufacturers pick them up as well with some variations on function.
fencepost
just a little off
Well if you want to protect the data, put in a document shredder option... when the owner presses a button on his wristband, the data is deleted and shredded. If you wanted to be more secure and also protect against resale of the laptop (as a deterrant to theft), put in what you might think of as a more effective document shredder: either put in a small incendiary device (guess the airlines wouldn't like that) or get the platters spinning at a ridiculously fast pace and then release them from the hard drive case... very much ruined.
Or maybe what would be even cooler is to have it so that if you touch it the wrong way, all these really cool spikes and razor blades bust out of the case, shredding the hands of the thief like Blade's sword from the movie.
How close they came to my "dream" system as described here.
fencepost
just a little off
I hope the range is long enough... otherwise the poor machine would be encrypting/decrypting data all the time while people are watching pr0n.
The financial risk of an unencrypted CEO's laptop that gets stolen by your competitors with your corporate 5-year plan, updates from subordinates on new product progress, etc. is in comparison absolutely enormous.
Something like the described system is designed to reduce the second case to being no worse than the inconvenience presented by the first case.
fencepost
just a little off
Robber grabs laptop and runs.
Robber boots up laptop and notices data is encrypted.
Robber runs back to the person he stole the laptop from and cuts his arm off.
Robber runs away with arm and laptop.
Robber enjoys unencrypted data.
(read the fuckin article)
No one ever takes the time to read the article and they go off throwing their own two cents.
I've seen numerous posts about this device being useless because the data will take forever to encrypt.
But for those fools who didnt read the article, the data is already encrypted, and only small portions of it are decrypted when in use.
So basically you walk away and I shut off your laptop right away. No chance for it to mess it up. Then I boot off a floppy or something and voila... read all your data.
The problems are many-fold starting with the software enforcement of the rules.
A real security conscious person would a) encrypt it all before hand and b) not leave his computer logged in while away.
That's like putting a 3000$ security system on your house but leaving the doors unlocked and running the system on a voluntary basis.
Tom
Someday, I'll have a real sig.
Just build a self-destruct button into the watch. See someone messing with your laptop? Blow it up in their face. Sure sounds like fun.
rm -rf
I mean, there is no shortage of secure ways to keep the data on the laptop inaccessible to others. Encrypt the disks and shut down the laptop before leaving. Encrypt the RAM image before suspending and saving it to disk, and ask for the key when resuming, if you don't want to shut down. Keep the portion of key on some device that should be physically connected, and shut down or suspend when it's removed.
But the main ideas should be -- if the data is not supposed to be read by someone else, it should be encrypted already, and if user is not at the keyboard, the thing is not supposed to be running in the first place. And no one should rely on anything that happens when user is already away.
Contrary to the popular belief, there indeed is no God.
This is like the system that's in use here (.nl) for people who work on moneytransport. When they carry a suitcase stashed with Mighty Bucks to a bank (not all banks have the space to let moneytransports park right to a wall with a little door) the man who walks with the suitcase also carries a little transceiver. If he gets robbed from his suitcase and the suitcase gets more than 10 meters away from the person, a paintbomb will explode inside the suitcase. The robber won't be harmed, the suitcase is still in one part but all money inside is painted red with an non-removable, semi transparent ink. Thus rendering all money inside the suitcase unusable.
So this laptops seem to operate the same way: if the valueable stuff (in this case the data inside the laptop) gets seperated from the person who owns it, the stuff will be made unusable. Not a Bad Thing (tm).
Easy, just cut the persons hand off and take the whole damn package! (which is why I would NEVER volunteer to be the poor schmuck who gets the breifcase handcuffed to his wrist full of confidential info).
"The saddest words of mice and men, are not those which were, but should have been."
Granted, as one user pointed out, the data is worth, usually, much more than the laptop itself. But you have to look at who is going to steal the laptop. Most likely, someone who can't care less about what's on it, just that they "got a cool new toy." Sure, the data is safe, that's great, you probably won't have anything classified stolen, but whoever stole it now has a brand new laptop and you're still out $3k for a new one.
:-)
It seems like something one would only use for business laptops (obviously, right?), and that it'd be a bit overkill for personal computers. I know if I lost my laptop, I don't care what's on it, if it's encrypted, if it will be decrypted, etc. I just know I'm out about $1500, and as a college student without any cash, I'd be pissed.
I'll just be waiting for a nice quick way to get the hardware back, undamaged. Until then, you can keep your leash.
Try actually thinking for yourself. It's quite refreshing.
I'd really like a system like this for a desktop PC - a proximity tag which would automatically unlock the screensaver when I get within 6 feet of the machine, and automatically re-lock when I move away.
I don't particularly need the encryption side of things, I just don't want anyone messing with my machine in my office.
Anyone know of such a device for less than a small fortune?
"Nothing strengthens authority so much as silence." - Charles de Gaulle
just as the proliforation of car ignition kill switches making traditional theft difficult caused the number of car hijacking to sky rocket, this could do the same for laptop users with their key attached to or hidden on or in their person.
i'll keep my hand rather than attach a key controlling access to millions dollar secrets to it.
I have a laptop that requires me to type in a password obtained from a keyfob (it's an "RSA SecurID", if you are truly curious), whenever I want to establish a VPN to the corporate mothership. The password changes every minute. So, if the keyfob is lost, poof, no link to the mothership: no email, no remote access, no searching the bug database, no etc. Needless to say, the keyfob is never far from the laptop, and I've even contemplated epoxying it to the case. I also need to type in a static remembered password with the keyfob password. In addition, there is of course typical mundane password protection to use the laptop itself.
Now, I'd enjoy not having to type those 6-digit numbers whenever I plug into the network, boot the laptop, or wake it up. (It goes to sleep at the drop of a hat - again, corporate policy.) I guess the Dick Tracy wristwatch, or a variant of it tuned to my situation, would give me that. But there would still be the terror that if I lost my wristwatch (pickpocketed, accidentally laundered, left in my other pants), my nifty laptop would be rendered into a doorstop. So again, I would suffer the temptation to weld it to the laptop, or at least leave the watch in its carrying bag. (The laptop is 90% of the time at home on my desk.)
Mind you, I have this laptop set to sleep when I shut the lid, and it requires that I supply MY password (the nifty one I chose, not the ephemeral 6-digit keyfob one) whenever I wake it up. And as I said before, it falls asleep at the drop of a hat.
so the encryption isnt part of the harddrive right? the encryption can only start when the power is on? (or some battery on the encrypting hardware?) so just remove it (the harddriver or the power source for the encrytor?)...
I know of many accounts of pirates/hackers who placed HUGE magnets in their doorways so when the Feds came to take their PC away all the data was lost (or enough data that is)
Now I can download mp3s and pr0n.. hack all day and 0wn the pentagon but when they confiscate my PC then "oops, no more evidence!"
Get your Unix fortune now!
The article contradicts itself. In one case, all data is encypted when the user moves away, in the other only a cache of data is held decrypted. I don't think this is a good idea either unless the cahe is very, very small.
Of course this in no way satisfies the male tech-toy craving.
Heroscape, it's like legos combined with anachronistic wargames.
If the laptop gets stolen, the thieves can change the public key on the HD, but that simply allows them to use a different token. The token they substitute doesn't have the key to decrypt the encryped disk block keys.
If all of the transissions get recorded, they can't be played back to the laptop, becuase the laptop will never (statistically speaking) send the same nonce twice before the Sun gets old and bakes the Earth to a crisp.
If you record all of the transmissions and steal the token, you can play them back to the token and get the disk keys, but that doesn't help, since all of the data stays on the laptop. If you're really worried about this, use an interactive signature algorythm on the shard secret so that it can't be replayed to the token.
If you steal the laptop, guess the password used to encrypt thesig nature key, then get a transmitter near the token (wristwatch), you can trick the token into accepting a shared key o your choice and then sucessfully querry the token for the encryption keys. You could also steal the laptop and use hardware to boost the transimmsion range so the token and laptopstill think they're close together. Having a panic button on the token (wristwatch) to turn off the crypto functions will eliminate both of these attacks as long as the owner realizes the laptop has been stolen and quickly hits the stop button on the token. The second attack can be prevented by having the latop place strong limits on the querry latencies.
Of course, if both the token and the laptop are stolen and the password to decrypt the signature key is gussed, it's game over. Kindapping and torturng the owner of the laptop (with the laptop and the token) also results in a game-over scenario. (Unless you use the rubber-hose filesystem.) There are ways to minimize even these attacks. For instace , if the owner's pulse gets too low (chloroform or arm cut off) or too high (torture) then the token writes over the area of memory used to store the secret used to calculate the disk block keys. However, the false alarm rate would be too high for systems like this and the HD would neeed to be reformatted too often.
There is no perfect way to get security, other than melting down the laptop as soon as you put sensitive information on it. However, using the public key encryption, interactive signatures, and shared key system, you can get reasonable throughput and very good security.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.