Slashdot Mirror
Crypto Leash for Laptops?
timman999 writes "New Scientist reports a new device that will automatically encrypt all the data on a laptop when it is separated from its owner. It uses a small receiver and the user has to wear a transmitter on his wrist."
Noble says the system would work well with a prototype computer wristwatch developed by IBM. This watch uses the Linux computer operating system and can communicate with other devices through the Bluetooth radio protocol.
...I want the linux powered wristwatch
"Good things don't end with eum, they end with mania or teria." - H. Simpson
Man, NOBODY will buy a stolen laptop if all the previous owner's data is encrypted!
Pull a Bruce Campbell and cut off hand of owner... :)
messy, and would elevate theft to a felony.
First thought I had: just remove the battery when you steal it, so that any gadget inside wouldn't be able to change something on the HDD. But the article says that the files are always encrypted, and only a cached copy (probably in RAM) is used when the user is viewing or modifying a file.
Time to find another loophole...
Envy my 5 digit Slashdot User ID!
see: http://zdnet.com.com/2100-11-950155.html
Although I'm afaid our government will probably have just as hard of time keeping track of the transmitter that goes around the wrist.
My keys, wallet, watch, PDA, Blackberry, Cel AND my crypto leash. Great.
Anyone who is concerned enough about their laptop security to consider bothering with one of these should already have good crypto security in place. And preferably security where the 'key' can't be stolen off the nightstand. These will attract the gadget happy crowd and CFO's who don't understand info sec and want to see a physical product. Anyone who feels the need to be able to point to their security device shouldn't be making security decisions.
Encryption takes a whole lot of time to do, especially on the monster hard drives available today. What might be a better way would be to have the system already encrypted, and just delete any cached keys, etc. when the laptop goes out of range.
The article states that the encrytion/decryption only adds about a 6 second lag to normal operation. Most of the data on the computer is kept encrypted except for a cached version of the data currently being used (the lag in encrypting/decrypting that).
You probably haven't read the article thanks to true slashdot tradition. In this case, the data in the hdd is encrypted when the wrist watch device worn by the true owner is not at a certain distance. Sure you can still use some l33t way to decrypt the files or what not, but it makes the task that much harder.
geek page at KY speaks
Who gives a shit about the laptop, for personal use you might but corporate clients (the people who buy probably 95% of laptops) the data is worth way more than the laptop. For us losing a $3k laptop is nothing, when you buy $90k suns and making a new chip mask is $800k a $3k laptop is a drop in the budget bucket. Now the data and loss of proprietary info to competitors could be potential losses of hundreds of millions, that should kind of put things in perspective. If Bill Gates, John Chambers, Larry Elllison or any number of other other CEO's laptops were stolen the potential for blackmail or selling of corporate secrects could be in the billions.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
The data is always encrypted on the hard drive, and is only decrypted at the cache. So steal it, remove battery, submerge in liquid nitrogen is the only way to get even a little bit of data out of it. The really cute exploit is to tunnel their challenge/response over a network of some sort (say, cell phones), and just have someone follow the legitimate user around until all the information is decrypted.
The research paper on this will be presented at ACM MobiCom 2002, the premier conference on wireless networks and such.
As always it is difficult to discern the technical details of how a system works from a news article. If you are interested, I urge you to read the technical paper. My papers
FYI, the data sits on the disk encrypted and in the page cache decrypted. Keep in mind this is a technical paper and a research prototype and not a product.
To just have an encrypted filesystem, and make the user type the password when it boots? Less points of failure, less expensive, and less trouble.
But that doesn't solve the problem that this is aimed to solve, which is either the laptop is stolen while on (and therefore decrypted) or the user walks away from the machine (leaving it decrypted).
As the article said, this could have a real application for people in busy semi-open areas (like a trading floor) who have to sometimes go away from their machines - even traders sometimes have to answer the call of nature or the boss.
This simply automates the encryption process once user and machine are separated by a specific physical distance. I particularly like the fact that it auto-decrypts when the user returns, although the potential exploits involving a detatched body part returning are rather disturbing...
Sailing over the event horizon
It sounds like you were done with it anyways...
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
For all my sensitive information, I just use my wife. She keeps all my appointments, scheduling and list of chores for me to do in her head. She already has built-in encryption because as everyone already knows, there is just no comprehending women.
On the laptop, I have an encrypted home directory. I never suspend my laptop, so I always log in/out when I use it in different locations. If someone stole it, they'd have a nearly impossible time getting to my personal files.
On the fileserver I use it via Samba and NFS mounts. This is why I chose BestCrypt over some other kind of encrypted filesystem/volume, actually. My wife can mount a volume file from her Windows machine via Samba and I can mount them via NFS (or via Samba when I'm booted into Windows game mode).
Best part is that there's no batteries, bracelets, rings, whatever to worry about. Just remember your passphrase and you're good to go. I'd recommend BestCrypt to anyone.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Why bother with the wristwatch? Scramdisk (free) and Drivecrypt (commercial) already do this in software, using strong passwords.
1. Use the software to encrypt your disk contents
2. To decrypt (on the fly), you need the password
3. Set your screensaver to lock, with a (different) password.
Voila. Done. Rebooting to get by the screen lock unmounts the drive, rendering it useless.
This is really, really easy. What's the big deal about all this gadgetry nonsense?
... what would happen if there was quick back and forth wrist action (with the device being on your wrist), this wouldn't damage any of my sensitive business "mpegs" and "gifs" would it?
Maybe because most users tend to use passwords that are trivial to break?
And when forced to not use a trivial password they then write the password down on a sticky pad that gets attached to the notebook or put in the notebook carry bag?
But that doesn't solve the problem that this is aimed to solve, which is either the laptop is stolen while on (and therefore decrypted) or the user walks away from the machine (leaving it decrypted).
Users are stupid.
How do you plan against the idiot who says, "I'm not wearing that stupid watch", takes it off and sets it next to the laptop? Or, in traditional user fashion, fastens it securely to the laptop?
At my last place of employment, we instituted strong password requirements. That didn't stop half the users from writing them on post-it notes and sticking them to their laptops. When caught, it was always, "Well you make me change it every 90 days! And you make me put NUMBERS in it! I can't remember that!"
"I can't wear that silly watch" will replace "I can't remember that" if this device is put into real world use.
-Ryan, with the unoriginal sig