Slashdot Mirror
Crypto Leash for Laptops?
timman999 writes "New Scientist reports a new device that will automatically encrypt all the data on a laptop when it is separated from its owner. It uses a small receiver and the user has to wear a transmitter on his wrist."
If it isn't a part of the hard drive it's self then it is 100% worthless..
Anyone wanting to steal a laptop for it's data will find trivial ways around anything that is a "add-on" solution. It has to be a part of the hard drive it's self or all content on the hard drive needs to be encrypted already and the "device" only allow's access.
Do not look at laser with remaining good eye.
First thought I had: just remove the battery when you steal it, so that any gadget inside wouldn't be able to change something on the HDD. But the article says that the files are always encrypted, and only a cached copy (probably in RAM) is used when the user is viewing or modifying a file.
Time to find another loophole...
My keys, wallet, watch, PDA, Blackberry, Cel AND my crypto leash. Great.
Anyone who is concerned enough about their laptop security to consider bothering with one of these should already have good crypto security in place. And preferably security where the 'key' can't be stolen off the nightstand. These will attract the gadget happy crowd and CFO's who don't understand info sec and want to see a physical product. Anyone who feels the need to be able to point to their security device shouldn't be making security decisions.
Encryption takes a whole lot of time to do, especially on the monster hard drives available today. What might be a better way would be to have the system already encrypted, and just delete any cached keys, etc. when the laptop goes out of range.
The article states that the encrytion/decryption only adds about a 6 second lag to normal operation. Most of the data on the computer is kept encrypted except for a cached version of the data currently being used (the lag in encrypting/decrypting that).
Who gives a shit about the laptop, for personal use you might but corporate clients (the people who buy probably 95% of laptops) the data is worth way more than the laptop. For us losing a $3k laptop is nothing, when you buy $90k suns and making a new chip mask is $800k a $3k laptop is a drop in the budget bucket. Now the data and loss of proprietary info to competitors could be potential losses of hundreds of millions, that should kind of put things in perspective. If Bill Gates, John Chambers, Larry Elllison or any number of other other CEO's laptops were stolen the potential for blackmail or selling of corporate secrects could be in the billions.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
To just have an encrypted filesystem, and make the user type the password when it boots? Less points of failure, less expensive, and less trouble.
But that doesn't solve the problem that this is aimed to solve, which is either the laptop is stolen while on (and therefore decrypted) or the user walks away from the machine (leaving it decrypted).
As the article said, this could have a real application for people in busy semi-open areas (like a trading floor) who have to sometimes go away from their machines - even traders sometimes have to answer the call of nature or the boss.
This simply automates the encryption process once user and machine are separated by a specific physical distance. I particularly like the fact that it auto-decrypts when the user returns, although the potential exploits involving a detatched body part returning are rather disturbing...
Sailing over the event horizon
Why bother with the wristwatch? Scramdisk (free) and Drivecrypt (commercial) already do this in software, using strong passwords.
1. Use the software to encrypt your disk contents
2. To decrypt (on the fly), you need the password
3. Set your screensaver to lock, with a (different) password.
Voila. Done. Rebooting to get by the screen lock unmounts the drive, rendering it useless.
This is really, really easy. What's the big deal about all this gadgetry nonsense?
Maybe because most users tend to use passwords that are trivial to break?
And when forced to not use a trivial password they then write the password down on a sticky pad that gets attached to the notebook or put in the notebook carry bag?
But that doesn't solve the problem that this is aimed to solve, which is either the laptop is stolen while on (and therefore decrypted) or the user walks away from the machine (leaving it decrypted).
Users are stupid.
How do you plan against the idiot who says, "I'm not wearing that stupid watch", takes it off and sets it next to the laptop? Or, in traditional user fashion, fastens it securely to the laptop?
At my last place of employment, we instituted strong password requirements. That didn't stop half the users from writing them on post-it notes and sticking them to their laptops. When caught, it was always, "Well you make me change it every 90 days! And you make me put NUMBERS in it! I can't remember that!"
"I can't wear that silly watch" will replace "I can't remember that" if this device is put into real world use.
-Ryan, with the unoriginal sig
Next, the silly corporate users forget their passwords, and at the same time they used a really secure one. Now the drive is fubar and all data is lost.
Next up, the user lost/breaks the key. Or even the key goes fubar itself. All data is lost again. Grrrr..
But then again, whats stopping the attacker/theif from recording the Key exchange somehow and duplicating it later back in the garage.
Being called a dork on Slashdot must be like being called the retard in special ed.