Location-Based Encryption

davidwr writes "Eweek reports Apple co-founder Steve Wozniak has a new way to prevent theft of company secrets on stolen laptops: 'Wozniak offered a peek into his vision for the company on Ziff Davis Media's Security Virtual Tradeshow, where he introduced "wOz Location-Based Encryption," an application that uses GPS tracking within a wireless hub to encrypt and decrypt sensitive data for large businesses.' Today's encryption is good enough but I do like the tracking capability. Imagine your laptop screaming 'I'm being stolen! I'm being stolen!' and paging security as the janitor walks out the door with it."

Not totally secure?

[nmg196]

All GPS devices I've come across simply stream out NMEA data from a serial port (or over a bluetooth connection). What would stop someone that really desperate to get the data from hacking the GPS module or the dongle so they can stream in their own forged (or recorded) NMEA data which reports the laptops current position to be where they stole it from (after all, they should remember)? Usually anything these days that requires a GPS uses a standard GPS module, and at some stage, the position data from it ends up in an interceptable form on the edge interface of some module. Hardly bulletproof security?

Re:Not totally secure?

[jmcmunn]

Better yet, my portable GPS device allows me to "set my location" temporarily in case the signal is not strong enough. This allows the device to at least estimate where I am if it has a weak signal somehow. I don't really get all the details...but it works so I don't complain.

So what's to stop someone from doing essentially the same thing with the laptop? Just tell it "you're still in the building" and you'd be all good. I think this is a pretty cheesy idea for security, you can always figure out a way to lie to a machine, regardless of what lie you're telling. This is less secure than a well-encrypted password if you ask me, or course I assume that the machine would still have the password as added security, so I guess that argument shouldn't carry any weight.

Re:Not totally secure?

[killua]

Theres no such animal as bullet proof security, all we can do is make it more difficult to get around. 0.02$

Re:Not totally secure?

[PeteDotNu]

It may not defend against the hackerly, but at least it will stop you average dumb criminal in his striped jersey.

Re:Not totally secure?

[salvorHardin]

That, or just jam the GPS device.
Wouldn't help you open Rights Management stylee protected data, but it would stop your laptop from screaming "I'm being stolen!".

Re:Not totally secure?

[nmg196]

> This allows the device to at least estimate where I am if it
> has a weak signal somehow. I don't really get all the details...
> but it works so I don't complain.

Well a GPS receiver has about 8-12 channels with which to look for the satellites. If it knows roughly where you are, then it can use that information, together with stored almanac data (info relating to the orbital positions of the satellites over time) in order to better guess *which* satellites it should try locking on to. It basically speeds up the process of getting the all important 'first fix'. If you didn't tell it where it was, it would simply take longer to get the fix - but it would still get there eventually.

I must admit, I wasn't too impressed when I received my first GPS and the very first question it asked me when I turned it on is "Please select the location of this device using the map below". I was like, "huh, aren't you supposed to tell me that?!". :)

Re:Not totally secure?

[stupidfoo]

When a laptop screams 'I'm being stolen! I'm being stolen!' and no one can here it, is it really making noise?

Re:Not totally secure?

[bsd4me]

I think all consumer GPS devices do this, but there are lots of commercial/industiral GPS devices, too.

I don't think it would be that hard to integrate one of the chipsets from Trimble into a WAP to provide the feature Woz is describing. Install the WAP in the ceiling, and run some RG-58 to the roof for the antenna, and I think that would make spoofing the GPS a lot harder.

Re:Not totally secure?

[REBloomfield]

Is this like what they did in Goldeneye?

Re:Not totally secure?

[recharged95]

If they can defeat lo-jack on cars, they can defeat this. (unless it's some SMT transmitter on the freakin chip, which is unlikely due to the power requirements at this point).

Re:Not totally secure?

[plover]

Partly because these devices rely on security through obscurity, and sales through marketing-hype.

If a security system is recognized and completely understood, it can be disabled or defeated. However, if the system is not recognized in time, it can use that time to phone home, re-encrypt the data, squirt stinky purple ink out the keyboard, whatever.

So, if your concern is that James Bond and Bruce Schneier are going to conspire with the CIA to steal your laptop, well you're pretty much screwed even with this system. But if your bigger concern is that Tom in accounting is going to get pissed off at your new corporate dress code and steal the CEO's laptop in order to "get back at da man", well at least he isn't going to get a free copy of your customer database that he can sell to your competition.

Remember, Woz isn't trying to sell to the CIA -- he's trying to sell to that CEO. Real world security isn't always about perfection -- it's frequently about tipping the odds in your favor as often as possible.

Re:Not totally secure?

I was like, "huh, aren't you supposed to tell me that?!".

You were 'like'? Expand your vocabulary a bit. You will find it, like, totally cool when you do. You can like be like very clear in communitcating your thoughts. You will be like "wow".

Re:Not totally secure?

well yeah .. it's not bulletproof .. u can copy data off HDD et.. but it's a layer.

Anyway .. since when do GPS signals work reliably inside a building anyway?

Re:Not totally secure?

[Psiolent]

I work for a company that makes it so you CAN hear it. It doesn't use GPS, but instead proprietary wireless receivers placed throughout a facility. If a marked asset (such as a laptop) leaves a predefined area, it initiates an alarm. Our software does, in fact, scream "I'm being stolen", or whatever you want, via text-to-speech over the facility's walkie-talkies.

We don't do location based encryption, like Woz, but we will scream at you if your laptop is being stolen.

See our asset theft detection here.

Re:Not totally secure?

[nmg196]

Sorry - I've just watched Finding Nemo and those turtles must have really got to me :)

Re:Not totally secure?

[stupidfoo]

That text to speech is pretty good.

Only a little glitch on "important assets" "announce alarms" and "dispatching".

Re:Not totally secure?

[Mr+Guy]

Don't appologize. It's not your fault you were using slang that actually does mean what you were trying to convey. I'm assuming didn't actually speak to the device, correct?

So in other words, you inclined to feel as though the machince should be telling you. Or perhaps your feelings could be described as resembling the emotions that sentence expressed. I think you'll find that's what the word like means, regardless of whether that's an encouraged sentence structure.

If you feel I'm wrong, explain to me what's fundamentally different about the following sentences, besides using a sentence to describe the feeling instead of direct simile:

I was like a cloud.
It was like a state of total weightlessness.
It made me feel like I buzzing around.
I was like, "Wow, I'm a cloud".

Re:Not totally secure?

[inhalentbroom]

Nothing is ever 100% secure. This will just add one more step to crack and possible decrease the chance that important data could be stolen. That is what every security principle has been about.

Re:Not totally secure?

[igny]

On the other hand, if laptop screams "Wolf!" too often, won't people start ignoring the screams?

Re:Not totally secure?

[nmg196]

> Don't appologize.

If you're going to be pedantic, it's spelt: apologise or apologize.

> I'm assuming didn't actually speak to the device, correct?

(I'm assuming *you*...)

No I'm pretty sure I did actually say that out loud, but it was a rhetorical question.

Re:Not totally secure?

[Speare]

When a laptop screams 'I'm being stolen! I'm being stolen!' and no one can here it, is it really making noise?

Either you're coining a subtle and witty new verb related to finding something with a GPS transponder ("can you 'here' my stolen laptop, officer?"), or you are getting your homonyms mixed up. Given this site, I'll take the odds on a language blunder.

Re:Not totally secure?

In 1988 we implemented a security system in our stores based on the Commodore Amiga 500. We placed one at each store's security desk, and wired it to our cash register system. Among many other really cool features, we had a way for the registers to send raw text messages to the text-to-speech device and 'speak' it to the guard at the desk.

The normal messages were mundane generic alerts, such as "Assistance required on register 123." But one of the jokers of the day translated the messages with the "jive" filter (which was really popular back then.) So instead of saying "Attention. Alert on terminal 123. Cash drawer opened." the guard would hear, "Yo. Get yo' ass to terminal 123. Cash drawer bein' busted into!" Needless to say our security people thought it was the greatest change ever!

Re:Not totally secure?

[Mr+Guy]

Don't worry, I didn't pick improper spelling in the pet peeve poll. The art of proper language usage and the fundamentals of spelling aren't as closely entertwined as some like to think.

Re:Not totally secure?

Even the most witty and intelligent comments lose a lot of their impact when the author ignores grammar and spelling.

Or, in the local vernacular, "u r t3h $ux. j00 l0$3 @ 3ngl1$h, f00. pwnt."

Re:Not totally secure?

[virid]

Curtail your sensitivity to your neighbor's vernacular. Priggish posturing does not a friend make.

Re:Not totally secure?

I'll whoopsie-doodle that, outglam. Snide my digs, so long? Or klondiff zoot-zoot-zootie, if that's nodule fancy.

Re:Not totally secure?

"Curtail your sensitivity to your neighbor's vernacular. Priggish posturing does not a friend make."

What do dog's tails have to do with porches and pigs?

Re:Not totally secure?

[bodrell]

When a laptop screams 'I'm being stolen! I'm being stolen!' and no one can here it, is it really making noise?

Actually, what caught my attention was the part after that, "as the janitor walks out the door with it." Does the submitter have a problem with janitors? Or perhaps he had a bad experience in the past? In my office there have been thieves who stole people's lunches (among other things) and one of the thieves was a white-collar employee. I wouldn't automatically suspect the janitor if something were missing.

Re:Not totally secure?

[legirons]

All GPS devices I've come across simply stream out NMEA data from a serial port, someone would just send their own NMEA stream

The difference is, you're approaching this from the view of a technology expert. Try to think of it through the eyes of a marketer.

"It's perfectly secure, the laptop can never be used outside of designated locations"

Re:Not totally secure?

[mr100percent]

I believe you are thinking of Tomorrow Never Dies. However, they didn't jam or spoof the GPS signal, they used a US military encoder to re-program the satellites themselves. However, I always wondered how come the rest of the GPS-using world didn't notice that everything shifted a few hundred miles for a while...

Or other more malign actions

[_the_bascule]

paging the boss, 'he's going home! he's going home!'

Re:Or other more malign actions

paging Microsoft that your PC has moved, and therefore now requires a new license fee.

Re:Or other more malign actions

"Malign" is a verb, mate. I guess you were thinking of "malignant", or perhaps the opposite: "benign". Hope this helps.

Alarms

What if they had that for cars? Imagine someone tries to steal one and an alarm goes off! Everyone will pay attention and call the police right away. Car theft will be a thing of the past for sure...

Re:Alarms

[lmfr]

Car alarms require public interest and intervention.

This, however, only requires interest and intervention from paid security officers working for the company.

Re:Alarms

Fer crissakes: these have been around forever:

Re:Alarms

[diqmay]

Fer Crissakes: sarcasm has been around forever

Re:Alarms

[Oct]

a friend of mine had his car stolen...and when they found it in a ditch like 5 miles away, the only things missing were the sterio and the alarm system :) heh

Re:Alarms

[ikegami]

If a car alarm goes off in the parking lot, who cares. If someone was driving down the street with a car whose alarm is active, yeah, I'd call the cops. If someone was walking around with a laptop whose alarm is active, yeah, I'd call the cops. If it's a false alarm, the cops can sort that out.

Re:Alarms

This system has been in use for years in Belgium which is notoriously known for its high "car-jacking" rate.

When I've got the system installed on my car, the guy told me that they did not install a microphone in the trunk. I asked him why he would do that. He explained that car-jacker are now taking the owner with them and usually put them in the trunk and mine was too small. With the microphone, you can basically call the police and explain them not to shoot in the car.

After having been car-jacked anyway, I moved to Switzerland!

Re:Alarms

They do. OnStar and Lojack have a record of catching theives and retreiving stolen vehicles, when privacy concerns don't get in the way (i.e., they're not always watching, you have to tell them it's been stolen).

Just not everyone has them.

Re:Alarms

[retsaMedoC]

They have something similar already. If you have LoJack installed and file a police report, the car will tell the police, "I'm stolen. Come get me." There's also an option where they will call your cell phone if the car moves without your keys so you can check on it. (Probably goes off when you are being towed.)
http://www.lojack.com/

Re:Alarms

Um, why would the cops be shooting my car? "He stole a car! Shoot to kill!!" is a little overkill.

Besides, what's to stop a carjacker from using the microphone to get the cops to back off?

Re:Alarms

I remember hearing about a car security system a couple years ago that, if you didn't disable it when you started the car, would let you drive to the first intersection and then shut off the engine for good.

Does not work for cars too well

[mi]

Automobiles had various "I'm being stolen" devices for years. From overt obnoxious sirens, that wake up the neighborhoods in the middle of the night to covert "Lo-Jack" and others. Does not help as much as was, I bet, expected.

Or does it?

Re:Does not work for cars too well

[Skater]

LoJack does work, apparently:

Google Answers that links to a Carnegie-Mellon study about it.

--RJ

Re:Does not work for cars too well

[plover]

My auto insurance company offers a blanket discount for "theft deterrent devices." I think we can safely assume that if an insurance company is willing to cut prices 10% because the ignition locks up if it's fiddled with, then there really is a measurable deterrent effect.

It's quite obvious that the systems won't stop a dedicated thief, nor will they prevent many other sorts of insurable damage. But they obviously have some overall effect.

Re:Does not work for cars too well

[mikael]

Unfortunately, these "I'm being stolen" devices also get set off whenever there is a major fireworks show like the Edinburgh Festival. Which of course is exactly at the same time as there are large numbers of visitors and their cars in the area.

Re:Does not work for cars too well

[Lonesome+Squash]

Lojack works EXTREMELY well. And it's also socially beneficial. If I put an alarm on my car, thieves will go steal your car. If 5% of the people in an area have Lojack, becoming a professional car thief becomes significantly more difficult. By installing Lojack, you're benefiting all car owners in your area.

These days, thieves will typically do things like park cars out on the street somewhere for a day or two to see if the police come and recover it before they bring it to their chop shop. This means there's a better chance of their getting caught even by normal means on cars that DON'T have Lojack.

If I were a police officer, every once in a while I'd see if I could convince someone to leave their stolen and located car right where the thieves left it, so I could follow them when they pick it up.

Re:Does not work for cars too well

[dr_dank]

I remember one particularly obnoxious device that was sold in the Radio Shack catalog years ago. Instead of going off like a regular siren, this car alarm would actually be a woman's voice screaming "help me!" or "I was tampered with" if the alarm went off previously. That's just beyond the limits of good taste.

Re:Does not work for cars too well

[plover]

My father in law's car (which did not have LoJack) was stolen a few years ago. But he lives in such a small town that it has only one real "flop-house", and that's where the sherrif found it parked later in the week.

Re:Does not work for cars too well

[pboulang]

Lojack requires police involvement. Wouldn't you rather use a system that you can use to locate your car wherever it is on your computer? Or you want to track where your 16 year old son goes with your car. How about you get paged/called/whatever when the car leave some predetermined route or general area that you define?

If I were a police officer, every once in a while I'd see if I could convince someone to leave their stolen and located car right where the thieves left it, so I could follow them when they pick it up.

I imagine this would be fairly frequent... some people don't even want their cars back.. just need a policy in place to provide transportation while this is going on and I imagine even Insurance companies would get on board.

Re:Does not work for cars too well

Lojack works EXTREMELY well. And it's also socially beneficial. If I put an alarm on my car, thieves will go steal your car. If 5% of the people in an area have Lojack, becoming a professional car thief becomes significantly more difficult. By installing Lojack, you're benefiting all car owners in your area.

This presumes that LoJack does not come with a sticker that you put in your car's window which states "This car protected by LoJack", in which case the social benefit is precisely the same as any other theft deterrent system. Does it?

This could be applied to other things as well

[uid100]

Some though would have to be applied to this, but a GPS system in your car that alerts you if some operational parameters are crossed would be nice.

"Hey, I'm being towed away from the parking garage, even though my keys are more than 100 yards from me"

Zztxt Flrqtp fnz p47eltnzd.

[mothz]

Zztxt Flrqtp fnz p47eltnzd.

Oh, I'm sorry, you need to move two steps to the left.

Re:Zztxt Flrqtp fnz p47eltnzd.

[ozbon]

For once i really wish I had mod points - but it's Funny, not Interesting!

Re:Zztxt Flrqtp fnz p47eltnzd.

[Urban+Garlic]

> Oh, I'm sorry, you need to move two steps to the left.

Hmmm...

Ccubu H'yeu]u h,c ]69t'u,cg

Nope, still doesn't make any sense.

Re:Zztxt Flrqtp fnz p47eltnzd.

[DLWormwood]

Ccubu H'yeu]u h,c ]69t'u,cg

Let's try two steps forward...

Qqbwb $9vzb/ 4yq /fjc9byq3

Still no dice, even with a wraparound keyboard...

Re:Zztxt Flrqtp fnz p47eltnzd.

this won't work too well. why? who gets GPS in their office? really. try it sometime. signal strength is crappy. not enough to lock onto location. so the laptop sees crappy signal strength. ok, the programmer can say, "when you have crappy signal strength, you're in an office and not being stolen". but then what's to prevent people who want to steal laptops from using those static proof bags that block RF and taking it to their car in that??? The GPS would still think it's in the office with no reception.

Do you keep your laptop solely in the office?

[mpathetiq]

It seems like the real risk would be when you are on-site, traveling, etc. As a consultant, my laptop never leaves my side. I'd hate to have to "check out" every time I left the building. Also, I don't think I would like my employer having the possibility of tracking my every movement. Sure, you could turn off the tracking, but then you've lost the security as well.

Re:Do you keep your laptop solely in the office?

[Nimey]

I don't think I would like my employer having the possibility of tracking my every movement.

Get your own laptop, then. Their property, they can do what they like with it.

In other news...

[al_fruitbat]

...thieves put stolen laptops in bags lined with aluminium foil. (can also be used for hats)

Re:In other news...

[Lonesome+Squash]

You're missing the point. If the GPS doesn't report that the laptop is in an approved location, the thieves can't access the data. The data (actually, the secrecy of the data) might be orders of magnitude more valuable than the hardware.

Re:In other news...

[al_fruitbat]

Oh, sorry. He said 'janitor'. Anyone interested in industrial espionage is likely to be aware of encryption systems like this.

Re:w0z is a nutjob at best...

[chroot_james]

I'd like to clarify a tad... GPS's aren't specific enough and can be inaccurate enough to make this not perfect security, like is always claimed with NEW AWESOME PRODUCTS! Traingulation may not be perfect either, but it might be a better lead to "only the boss gets internet in the boss's office" type things.

Um..

[Daniel+Boisvert]

Does anybody else see a problem with a laptop you can't use outside of the office?

It's not like you'd buy a laptop so you could TAKE IT WITH YOU and work outside of the office, or anything..

Re:Um..

[sarlen]

Does anybody else see a problem with a laptop you can't use outside of the office? It's not like you'd buy a laptop so you could TAKE IT WITH YOU and work outside of the office, or anything..

As with any optional security feature, I imagine it would only be implemented under the assumption it should NOT be used out of the confines of the office. Would that not be an effective deterent? Same principal as a car stereo that doesn't work once taken out of the car - sure you have it, but what was the point?

Re:Um..

Then why not buy the cheaper, more powerful desktop?

Re:Um..

[grommit]

Who says that you can't take it out of the office? There merely needs to be a system set up where you can "check out" the laptop for business trips. After x number of days, if the laptop is not back at the home office, it gets disabled.

Shut Down?

[ZZeta]

Ok, may be I'm missing something, but wouldn't a simple shut down get rid of this 'feature'?

And before you tell me how you can't shut it down without the apropriate password: Unplug / get rid of the battery. If you're stealing the notebook, why would you mind turning it off? After all, there'll be plenty of time back home to retrive the data.

Re:Shut Down?

[Have+Blue]

Require a password on boot to unlock filesystem-level encryption.

Re:Shut Down?

[KiloByte]

Simple. Just have your server ping the laptop every second and launch an alarm if the connection goes down.

Unless you knowingly turn the watchdog off, I can't see a way to work around this that doesn't involve meddling with the server or alarm -- if you use some secure ping like choosing a random number and running some private key cryptographic tool on both ends.

Re:Shut Down?

cuz after all, there's no reason for a network to ever be down unless something's being stolen. This wouldn't lead to too many false alarms, no more than 10^7 per day.

Re:Shut Down?

[KiloByte]

If it's a planned outage, the watchdogs will be off. Such a setup isn't something that's likely to be something done for just a single machine -- you can't really forget about a system that watches all the laptops in your department.

And for unplanned problems, well, the attention is needed anyway.

Re:Shut Down?

[bitslinger_42]

Better than a boot password (the data is still readable on the hard drive if someone pulls it out), I really like the looks of some new products that are coming out with whole-disk encryption implemented in hardware. They use a USB dongle to hold the private keys, so the attacker would have to steal both the laptop AND the key to have access to the data. I'd much rather see that implemented on all company laptops (even desktops) than watch these companies monkeying around with biometrics.

Re:Shut Down?

[kyrre]

What is to keep me from replacing the laptop with another laptop that use the same ip-address? MAC filtering will not cut it because MAC can easily be spoofed.

Re:Shut Down?

Johnson, why are you still here, it's after midnight, go home!

I can't, if I don't keep pressing a key every 10 minutes, my laptop goes to sleep and the alarms go off!

Re:Shut Down?

[Rich0]

As he indicated it wouldn't be a true ICMP ping, but an application that uses a challenge-response system of some sort. Send random bytes, laptop encrypts with private RSA key, sends back, security server decrypts with public RSA key - no way to impersonate the laptop without hacking into it, which means that you can't take it home to crack it.

GPS? Inside a building?

Hmm... doesn't sound too promising to me.

I can see the error messages now...

[Elphin]

Error! Unable to open file!

In order to open this file you must move 3 metres northwest of your present position

British intelligence and self-destructo laptops

[call+-151]

This has come up before- here is a link to a 2001 Wired article about the British intelligence services using laptops with ``a built-in electronic self-destruct mechanism that erases a laptop's hard drive if the case is opened by force'' when a code is forgotten, as well as ``a tracking feature that allows a computer gone astray to call home." This was after a spate of embarrassing episodes where laptops with lots of important info went missing. I don't know if it's been implemented but this does seem to have some interesting applications, potentially...

Re:British intelligence and self-destructo laptops

[Slashamatic]

I'm still trying to work out how a hard drive can be instantly trashed electronically. Even a single-pass low-level format can take a long time. My guess is an encrypted partition which relies on a key held in a PCMCIA dongle.

The call-home program exists commercially and allows a machine to register its presence with a remote control.

Re:British intelligence and self-destructo laptops

[flosofl]

Yeah, I was wondering the same thing. I work with some security modules that have tamper-resistant casing. If you try to force the locks or pry/cut the case, It zeros itself out. The difference here is that everything is solid state and stored in RAM and Flash memory. For the hard drive perhaps somekind of deadman switch on an electromagnet or something. But that would make for a damn big (and HEAVY) laptop (At least going by the size of our DeGaussers here at work).

Anyone know what could be small and light (fit in a laptop case with all the other stuff) and still be able to wipe a drive isntantly (or near instantly)? Preferably without killing anyone (so no explosives or what-not!)

Re:British intelligence and self-destructo laptops

[earthman]

How about encrypting the whole hard drive, either by using an encrypted file system, or a HDD controller which encrypts all the data written to the disk on the fly. Store the encryption key in Flash or RAM or whatever. When any kind of unauthorized access is attempted, wipe the key, and nobody can access the disk anymore. This could be as simple as keeping the key in a bit of battery-powered RAM, and connecting this to a chassis intrusion switch, which will cut off power when the case is opened.

Don't forget to keep a backup copy of the key somewhere in a location safe enough that when someone gains access to it, the backup keys are the least of your worries.

Re:British intelligence and self-destructo laptops

[Slashamatic]

You also need to remember that a fancy disk drive would be very expensive. The Brits don't have that kind of money for specialised equipment. I have heard of devices that go into the PCMCIA slot that will hold a key in a tamper resistant module. If the driver exposes the standard Win Crypto API, then it would even be possible to integrate it easily.

For a laptop?

[31415926535897]

I was always under the impression that laptops were supposed to be mobile (but maybe that's just me)...

It seems like this would be more useful for company systems that have highly proprietary, sensitive data on them that you wouldn't want moving around. I could see a very nice, dual G5 screaming "I'm being stolen" as the janitor carts it out with his supplies (though how it does that without a power source is beyond me, I guess you would need a secondary power source just for this system).

Also, and I'm really not trying to start a flame war here, but first, what's wrong with a janitor having a laptop, and why assume that it's a janitor stealing the laptop? I would guess that it's a disgruntled employee or just-fired employee (that's not properly escorted out) that would pull a stunt like that. And I would think that laptops are stolen from public places like libraries and parks rather and work places where I think a system like this might not be as useful.

Re:For a laptop?

[Tenebrious1]

Also, and I'm really not trying to start a flame war here, but first, what's wrong with a janitor having a laptop, and why assume that it's a janitor stealing the laptop? I would guess that it's a disgruntled employee or just-fired employee (that's not properly escorted out) that would pull a stunt like that. And I would think that laptops are stolen from public places like libraries and parks rather and work places where I think a system like this might not be as useful.

I don't have any numbers, but most of the laptops that I've heard of being stolen were stolen by complete strangers who managed to sneak into secured areas. Usually dressed in suits, they just wander around purposefully until they see an unwatched laptop grab it and quickly walk out. That's why it's important not to let strangers in behind you.

Re:For a laptop?

[Sai+Babu]

Why of course it's the janitor! How the hell do you think he accrues the scratch for those Hummer payments?

I'm trying to imagine what can be stolen by carting off the laptop that can not be stolen by copying from the laptop to a smaller (than the laptop) storage device. In other words, it's not going to do a thing to prevent employee theft of data.

The best way to limit theft of the actual hardware is a firmware exec that 'phones home' with location from built in GPS or handshake with cellular phone system. The cell phone system registers phones that are turned on. This registration is returned to the cell phone company, regardless of the system the phone registers with. There is also a repetitive handshake. This system is already in use for tracking trucks and containers. It's cheap and easy to add to laptops as a prodction (model specific) option. There are enough bytes free in the handshake packets to encode GPS data for precise location without the need to initiate a call. I'm really surprised this hasn't found it's way into laptops yet. For additional data (keys, keystroke logging, etc), the phone could actually be subscribed with periodic calls to update data. It's a hell of a lot cheaper way to go because the hardare, infrastructure, and tracking system already exists.

Re:For a laptop?

[No+Such+Agency]

Also, and I'm really not trying to start a flame war here, but first, what's wrong with a janitor having a laptop, and why assume that it's a janitor stealing the laptop? I would guess that it's a disgruntled employee or just-fired employee (that's not properly escorted out) that would pull a stunt like that. And I would think that laptops are stolen from public places like libraries and parks rather and work places where I think a system like this might not be as useful.

Thank you for mentioning this. My first thought upon reading that was "What a classist thing to say". I too suspect that laptop theft by janitors is in the distinct minority. I can much more easily imagine office employees stealing "their" own laptops. They can walk around with them without getting funny looks for one thing.

I'm being stolen!

[six11]

Laptop: "I'm being stolen! Security guys, help!"
[Security guy shows up, gun drawn]
Security guy: "You there! Hands up"
Innocent guy: "But, I'm just bringing Bob's laptop over to him in building 4!"

I do like the idea, however, even though it may have issues. You could also use a wireless signal that pervades your company that is used as a key to decrypt.

Re:I'm being stolen!

[KiloByte]

Yeah, and if the guard believes the guy, that's the biggest (and most common) issue.

For the wireless signal: just have a centralized server decrypt everything, to keep the secret keys locked up nice and tight.

Quote from article

[ender1598]

"Throughout the entire process, Wozniak said the encryption key is controlled in a central location through a secure transmission. Because the wOz Platform and the wOzNet network are proprietary, he said it is not open to Wi-Fi spoofing or password sniffing."

proprietary != secure from sniffing

I wonder if it's based on the current wireless encryption or if it's something completely new.

Re:Quote from article

[bhima]

I think his point was wOz != WEP

Thinkpads and RFID

[terrencefw]

IBM Thinkpads have had RFID in them for a while now, to prevent them being taken out of specific areas.

tracking device

[hostylocal]

i like the idea of this. just so i can find stuff after i put it down somewhere...

Not a lo-jack

[zarthrag]

This is hardly feasable. However, it *is* possible to construct your TxRx that can lock your equipment to the area. But if you're that serious about locking something down, why not just use a mainframe and some dumb terminals?

This could only possibly work with other layers of security - GPS data isn't what I'd choose unless you can afford to launch some slightly more "useful" satellites of your own. Those sattelites would have to encode a sort of "encrypted timestamp" into the their data, so that that you can be *sure* your position is accurate, and not injected into the system.

Of course, this is also fakable, but at much more expense and pain. I'm sure even more elaboration could possibly yield something. Maybe adding a tuner that looks for TV/radio local station carriers, blah-blah-blah

Why must it always be "the janitor"??

[gambit3]

A few years ago, a securtity head-honcho at my company gave a presentation about keeping confidential documents off our desks, because "you never know when the janitors can come in and just swipe it out with them. I know they don't speak Englis, but it doesn't take a lot to swipe stuff off a desk..."

I've had my fair share of stuff stolen, and it's never been a janitor.

Re:Why must it always be "the janitor"??

[gambit3]

oh, and forgive the missing "h" at the end of "English."

I've been having trouble with the "h" key in my keyboard.

Must be those damn janitors that stole it!

Re:Why must it always be "the janitor"??

I know they don't speak Englis

Looks like you don't either :p

Re:Why must it always be "the janitor"??

[wootest]

I've had my fair share of stuff stolen, and it's never been a janitor. You're right. The butler did it.

Re:Why must it always be "the janitor"??

[PoopJuggler]

At a company I used to work for, there were several instances of stuff being stolen, and in all cases it was the janitorial staff. I think the stereotype is justified.

Re:Why must it always be "the janitor"??

[Jucius+Maximus]

"A few years ago, a securtity head-honcho at my company gave a presentation about keeping confidential documents off our desks, because "you never know when the janitors can come in and just swipe it out with them. I know they don't speak English, but it doesn't take a lot to swipe stuff off a desk...""

It's easy to blame the person who's not in the room. Why do you think they blame the project's current problems on the person who jumped ship and left the company?

And FWIW, there were only two occasions I know of where things were stolen from an office where I worked or visited. One of them (involving the theft of the database peoples' candy/cookie stock) was never solved as far as I know. The other one (involving the theft of computer equipment) was conclusively traced to a person on the custodial staff. This person was hired on Tuesday, a thief on the Wednesday, and fired on the Thursday.

Re:Why must it always be "the janitor"??

[xxavierg]

well, i am glad your anecdotal evidence, from your personal experience in one company is enough to justify an entire stereotype.

Re:Why must it always be "the janitor"??

[Jucius+Maximus]

Erm, correction: There was a third theft that I forgot about. It turned out that some guy was walking into the building from the street, following people through the security doors after they used their cards, and trying to steal computers. I'm know at one point some employees spotted him and stopped him, but this was after he had gotten some loot already. His description went out in the company e-mail and I don't think we heard from him again.

Re:Why must it always be "the janitor"??

[sanctimonius+hypocrt]

it's never been a janitor.

In my experience, it's more likely to be the VP of Marketing.

Re:Why must it always be "the janitor"??

[nels_tomlinson]

I've had my fair share of stuff stolen, and it's never been a janitor.

I don't think I've ever had anything stolen at the office. I've been a janitor, too.

If the janitors think they have a soft job with high pay, they aren't going to jeapordize it by stealing a laptop or a paper off your desk.

If they figure that they wouldn't get screwed any worse elsewhere, I guess the situation would be different.

The point here is that the janitors are just like you: if they're feeling screwed, they are a lot more likely to compromise their personal standards when tempted. Bear in mind that your excellent employer may contract janitorial services from a contractor who screws his employees.

Re:Why must it always be "the janitor"??

[deletedaccount]

Why must it always be "the janitor"?? It's not always the janitor, sometimes it's the butler instead.

Re:Why must it always be "the janitor"??

And its pretty neat that he works at a company with the distinct ability to identify all perpetrators of each and every theft occurence.

He must work for a detective agency.

Re:Why must it always be "the janitor"??

[Inda]

In my place the high paid engineers do all the stealing of laptops. The rest of us don't have access to them...

They take them home to do work in the evenings. They dial into the network for free internet. Their kids download Britney. Their begged CD burner is constantly burning audio CDs - they have to beg because there is no real reason for laptops having burners...

...they find out that they are unable to install latest_spyware_infested_program. They wipe the hard drive, install their own software (disabling dial-in in the process) and the laptop never sees the office again. They know they'll have a lot of explaining to do if the laptop ever needs rebuilding.

They see it as one of the perks of the job.

Re:Why must it always be "the janitor"??

[rowland]

Speaking as a programmer, the janitors I have been acquainted with have had, on average, higher integrity and a better work ethic than than the average programmer. Also, in my experience, programmers have typically been given greater access to company assets and exhibit a greater sense of entitlement.

(If you are a programmer and currently work with me, I'm not talking about you--I'm talking about the "dearly departed.")

To address the point of the article, I think location-based encryption is a clever idea, but it may need to work at the level of the hard drive. I have had the experience of walking into a server room to find a server torn apart and the hard drives missing. I haven't disassembled my laptop, but doubt it would be any harder to remove its hard drive.

Re:Why must it always be "the janitor"??

[voss]

If the Janitor is a long term employee with benefits , they are probably the most trustworthy employees in the company.

The custodians who steal tend to be temps/contractors.

Re:Why must it always be "the janitor"??

[Spoing]

In my experience, janitors and other after hours staff do steal equipment about 1/2 the time.

The funniest one was right after stealing some equioment, the guilty janitor (who also had keys to the server room) went to 'pop the tape' and found it was entirely hard drive based. The guy still kept the computers and had his house raided to return the stolen equipment.

Lesson? Don't let anyone have keys to the !@#$!@#$! server room! Extrapolate other lessons from there....

Re:Why must it always be "the janitor"??

[Spoing]

1. They take them home to do work in the evenings. They dial into the network for free internet. Their kids download Britney. Their begged CD burner is constantly burning audio CDs - they have to beg because there is no real reason for laptops having burners...

Not where you work. I burn work-related disks frequently. It's expected now, though I attempt to get people to use the network instead.

Re:Why must it always be "the janitor"??

[Spoing]

1. And its pretty neat that he works at a company with the distinct ability to identify all perpetrators of each and every theft occurence.

   He must work for a detective agency.

They are called SECURITY CAMERAS. Most small to moderate facilities have them.

Re:Why must it always be "the janitor"??

Right... and people only steal things in plain view of the completely hidden cameras that are in every office.

Re:Why must it always be "the janitor"??

[MoneyT]

You would be suprised. When I worked at G.E. we had some laptops stolen. Not only did the employee steal them on camera, but he used his own ID badge to get into the building and through the doors.

People are stupid.

Re:Why must it always be "the janitor"??

[celerityfm]

The guy looks like he has an honest face atleast :)

Re:Why must it always be "the janitor"??

[Minwee]

As opposed to someone more qualified for his job, like the janitor.

Re:Why must it always be "the janitor"??

[Spoing]

1. You would be suprised. When I worked at G.E. we had some laptops stolen. Not only did the employee steal them on camera, but he used his own ID badge to get into the building and through the doors.

Me, nope, I wouldn't be surprised. Stupidity on both ends of the theft -- the thief and the guardians -- seems to be the norm.

1. People are stupid.

Yep.

Re:Why must it always be "the janitor"??

Is this the purported janitor?

Re:Why must it always be "the janitor"??

'cause he's the clever one on Dilbert.

GPS spoofing

[Mordac+the+Preventer]

So... how easy is it to spoof a GPS signal?

Re:GPS spoofing

[Mordac+the+Preventer]

Replying to my own post is a bit off, but an even better thought... Say that BigCorp uses this idea to protect all of its really valuable data. You get a GPS transmitter that's transmitting a spoofed postion a few miles away, and all of BigCorp's laptops go "OMG, I've been stolen: 'rm -rf /data'".

Re:GPS spoofing

[kk49]

Easy but expensive.
You buy a GPS Constellation Simulator
Example: http://www.iechome.com/pages/products/simulator.ht ml

Re:GPS spoofing

[nessdog]

Nar dont use that, use a proper simulator.... http://www.positioningtechnology.co.uk/ Now thats what I call a simulator!

Re:GPS spoofing

[legirons]

"So... how easy is it to spoof a GPS signal?"

Depends what system you want to fool.

If you want a GPS receiver to believe it's in a certain position, you need something like this, which is in the 'telephone our salesman to negotiate' price range (or it might be 'US government only', I can't quite tell..)

If you want a computer to believe its attached GPS receiver is in a different location, you simply send formatted text from a serial port.

Janitor walks out with it?

This isn't the first time s/d has made the janitor an evil person you insensitive clods.

article probably wrong

[brlewis]

I seriously doubt they would use only GPS data as an encryption key. Likely the dongle is doing challenge-response interactions with the wireless hub, and certain actions get triggered when the hub is no longer in wireless range.

Re:article probably wrong

[nmg196]

No, but at some stage, the device relies on a raw GPS signal. All I was wondering is, what would happen if you spoofed that signal somehow... Maybe the rest of the encryption process won't notice and it will be happy to show you the data.

As we've seen many times before on Slashdot, lots of new encryption techniques turn out to be gimmicks or marketing ploys designed to sell one specific product. How often do these weird encryption mechanisms actually become mainstream? Not very often.

Not having a device to examine, none of us can really say yet, but if the GPS part of this system has been done to woo naieve company directors into buying their products who are excited by the buzzwords and technology, then maybe that'll be enough for this company to sell a few products and then disappear off the face of the earth before the first workaround or crack for it appears on BitTorrent and eMule :)

Re:article probably wrong

[GotNookie2000]

While it may not be impossible to "Spoof" a GPS signal. It's certainly able to be jammed like any other radio signal. I think that location based encyption is a very cool idea, but I can see that they will need to work out issues like this to make it truely secure.

Oh Come ON!

[Claire-plus-plus]

I don't see how this system will stop theft of data. If you want to steal the data just copy the data and leave the machine there.

I can see the security department scratching their heads while saying "who would have thought of putting all that data on a floppy disk"!

CUSTODIAN!!!

[oiarbovnb]

what do you got against us anyways?

DVD Regional restrictions redux?

[0x00000dcc]

I am somewhat ignorant Woz's plan, but does this not remind anyone of DVDs not being able to be played outside of specified regions? How do we know the same thing won't happen?

Spoof

[Renraku]

It's not a big deal to spoof. All you'd have to do is build a couple small GPS-emulator transmitters and aim them at the device, and have them tell the device that its sitting its comfortable office environment 5,000 miles away.

"Unplug / get rid of the battery"

[da5idnetlimit.com]

True, very true...

Also one should note that in most cases, when someones steals a laptop, it is for the laptop itself, and they couldn't care less for the data on it...as long as they can download the corresponding drivers later on...

One the laptop get sold, it'll suffer a quick reinstall. and the security dongle will become a nice high tech keychain 8)

+ This system assumes I have a physical access to the machine...

If I have physical access to the machine (usually you find them plugged into the network, and no screensaver password...) all I have to do is either install a quick soft from the net or from the cd/usb key I have with me...

Keylogger/bot/zombie/spyware/remote desktop... I can do whatever I want...and your security is breached...

Reliable GPS *INDOORS*???

[rwyoder]

I've been playing with a high-end GPS device recently, and the first thing I learned was that you can forget about getting a reading indoors. So how will this device work when there is no GPS reading in the office???

Re:Reliable GPS *INDOORS*???

[iggymanz]

when it starts getting a gps reading, it knows it left the building. Anyway, in most buildings gps will work in some places and not in others - alot of risk for the thief. I suppose one could place a lo-jack type laptop in a faraday cage, but again risky when it comes type to either strip or access it.

Re:Reliable GPS *INDOORS*???

[silentmusic]

Search for "Indoor GPS" on google

Global Locate, SiRF, Qualcomm (snaptrak),...

Re:w0z is a nutjob at best...

[erikharrison]

Wozniac is a nutjob no doubt about it. He'd still be a legend, though, even if it weren't for Apple. He was an early phreaker, and a good friend of John Draper - Cap'n Crunch for gods sake! He was an important figure in the Silicon Valley hobbyist community, and even if he hadn't done either Apple or phreaking he'd still be a footnote in the big book of commodity PCs because of that. Certainly more than you or I can claim.

He and Jobs didn't start their relationship selling computers together - they originally sold blue boxes. Woz still works for Apple, mostly as a consultant, and he and Jobs still collaborate (though Woz has claimed that on many occasions Jobs credits him with ideas that he had minimal participation in).

Since leaving Apple he's been as much a humanitarian with his skills and money as Bill Gates (though in smaller absolute amounts). He personally provides free tech support for the local school system, and (at least when System 8 was still cutting edge) held computer classes for preschool and elementary school kids. He's sponsered charity concerts, and more.

Problem with Wozniak is he has a great technical mind, a wonderful sense of playfulness, and even a good sense of what users want in products, but his business sense is poor. That's why there hasn't been as much output from Woz since leaving Apple - their hasn't been a Steve Jobs. Wozniak was the Paul Allen to Job's Bill Gates, and much like Allen, Wozniak has dabbled here and their, with no truly successful financial venture yet. That doesn't mean he's worthless

GPS and Signal.

[jellomizer]

With my experience with GPS. They tend not to get a signal unless you are outside and have a clear view of the sky. When Driving in tunnals, or a road with a thick covarage of trees I tend to loose signal. And I have never got it to work while I was inside my apartment. Most people tend to use Laptops inside buildings and a lot of them are not nessarly near windows or have the window shades open (the heat of an afternoon sun in summer is pritty bad). So for most cases this will not work because they cannot get a GPS signal.

Re:GPS and Signal.

[Ulath]

To get the laptop out of the building, you'd have to leave the building, probably into a carpark, which usually have large clear views of the sky, and I guess as soon you did the system would be alerted...

Re:GPS and Signal.

[jellomizer]

But a lesser chance of having network access in the carpark. And all the criminals out there who steel all this equipment will stand out in the open air. This is slim.

Woz?

[Claire-plus-plus]

Will Bill Gates soon be inventing a product with the Acronym "B.I.L.L" for the product name?

New Game?

[rihock]

Why do I see this as new GPS game-- find the hidden PC and try to find the hotspot to de-encrypt the secret message??? Coming to reality TV near you (sort of near, or as close as GPS can)

floppy?

512MB USB keychain flash, actually.

Re:floppy?

[Claire-plus-plus]

some companies have these blocked on their pcs. Nobody blocks floppies though.

good against wardriving

[spectrokid]

Imagine that your WEP gets encrypted with a key dependent on your location. A large company could enable campus-wide WIFI, but you would only be able to get on the network if you are inside one of the buildings. Not the ultimate protection, but one extra barrier.

Re:good against wardriving

[matts-reign]

But what about those of us who like to go outside with our laptops .... wait ... this is /. ... we don't go "outside"

Probably is more than plugging a GPS in.

[hey!]

Yes, but he's not talking about putting a GPS on the serial port.

What he's talking about is something closer an iButton dongle that would only work at a particular position. This will communicate with a wireless infrastructure that will provide the key to unlock data.

How GPS figures in is not entirely clear from the article, but it appears to be a kind of two factor security: you can get to your data if (a) you are in the presence of an authorization agent and (b) you are in the right geographic place. In effect you will be able to say that a particular memo is only readable on campus. You can't take it home with you, for example.

My guess is that the GPS is attached to the authorization agent, not the laptop. For one thing, it's rare to get any kind of GPS coverage inside buildings. The reason for this is that it would prevent you from stealing the authorization agent as well as the data on the laptop. Again I'm guessing, but you'd run a coax cable to an outside antenna. As you point out the NMEAstring is childishly simple to fake, but the actual radio signal would require building special hardware and software to fake.

Re:Probably is more than plugging a GPS in.

[Ced_Ex]

Sure, the page may not load should you be outside of the set geographic range, but what's really stopping anyone from getting in range, take a screen capture and take off?

Perhaps if you can only get the laptop to turn on in pre-determined geographic locations it would be more benefitial, but then again, that would defeat the purpose of having a laptop to begin with.

Indiana Jones

[MetalliQaZ]

...So THATs how the temple knew that they were stealing the holy grail! Always wondered how they did that.

-d

Re:Indiana Jones

[iggymanz]

yes, but for civilian religious booby-trap use the ancient gps signals were intentionally randomly time shifted so accuracy was only to the nearest 3 cubits.

Oh please

Woz has had a SUCCESSION of crappy ideas, turned into crappy products.

While some of us are busting our butts trying to do hard work, why does he get an automatic free pass into Slashdot (and elsewhere) every time he has another hallucination and dips into his pocket to have a few things built?

The guy built a really cool floppy disk drive once. Why again does this equate to a free PR pass to report his every burp?

And yes i did R the F A

Mobile PC.

[leuk_he]

Isn't the point of a laptop that are designed to be mobile? And if you want to restrict the mobility wouldn't it be easier to attach a network cable & lock to it instead of this fancy encryption?

Or if it is to be used in 2 places use 2 desktops? what am i missing?

Ok, this is no solution for the boss who must have the most fancy laptop there is to see the best screensaver. (dilbert)

Re:Mobile PC.

[farnz]

Simple scenario:

You have a large campus, and certain employees are expected to move around campus, setting up their laptop to work wherever they happen to be. This may be in the factory, with Accounts, next to an engineer, anywhere on campus. How do you ensure that they can't leave the campus with their laptop?

A lock to the desk doesn't work; it stops them going around campus. If you're looking at this sort of solution, you don't want to rely on trust, either.

Re:Mobile PC.

[leuk_he]

f you're looking at this sort of solution, you don't want to rely on trust, either.

You don't trust your engineer with his laptop, but you do trust him to tinker with your machines? And you do trust some hardware lock. Check yourself.

Re:Mobile PC.

[farnz]

No, you do trust your employee, but you're too paranoid to depend on that trust when you can add a technical solution to check up on him.

Should he start trying to take the laptop off-site without permission, you may decide not to trust him in future, in which case his job is at risk.

Re:You make me sick

[julesh]

I think the theory is more along the lines of, if you want to steel a laptop from X company to get data from its hard disk, the easiest way of doing this is probably to get a job there as a janitor and swipe one while you're doing your rounds.

Janitors get access to all areas of an office, even ones that are usually kept secure. There are few qualifications required for the job, beyond having good references (which can be faked if you have the infrastructure for it). It's simply the easiest way in. And even if you can't, it's a low paying job which means that those doing it are more likely to be bribable than, say, the IT staff.

Easy to overcome...

[Maljin+Jolt]

Cut and break 'top to pieces. Pick the hard drive from the rubble.

Re:Easy to overcome...

[Lonesome+Squash]

3. Try every possible cryptographic key to read the contents of the drive.

4. ?

5. Profit!

Re:Easy to overcome...

[Maljin+Jolt]

Why did you try so called "every possible" crypto key? If you are not a complete moron, you should already know the correct coordinates. And everything other (keys, software) must be on the disk already.

Re:Easy to overcome...

[Lonesome+Squash]

Why did you try so called "every possible" crypto key? If you are not a complete moron, you should already know the correct coordinates. And everything other (keys, software) must be on the disk already

Because not being a complete moron, the designer of the device would not take the plaintext coordinates and use that as the cryptographic key. The designer would create a hardware black box that has an integrated GPS. The device spits out a key. If you're in the right location, it's a valid key. If you're not, it's an invalid key. Standard crypto software then uses that key to decrypt the contents of the drive

However, you're correct that it's unlikely that you'd need to try every single possible key. On average you'd only have to try about half of them, leaving you plenty of time to use the data before the heat death of the universe. :-)

dongle reader and emulator

Easily fits between laptop and Dongle!

Emulates either laptop or dongle via selectable switch.

Coming soon to a store near you....

Keeping your data safe from thieves

[Mwongozi]

Hasn't Apple already solved this problem?

Probably nothing...

[computational+super]

Imagine your laptop screaming 'I'm being stolen! I'm being stolen!' and paging security as the janitor walks out the door with it.

I would imagine this would get the same immediate response from law enforcement and concerned citizens that a blaring car alarm gets right now.

Getting stupid...

[evilviper]

Countermeasures to laptop theft are really getting stupid at this point.

Put 2.5" HDDs in a bit of a caddy to protect it, then you just pull it out and put it in your pocket. Notebooks could be made so that they pop the HDD out when the lid is closed, it is shut-down, or put into standby, and beep after a few seconds if the HDD hasn't been removed.

This won't help immensely if you leave your laptop running, with an open lid, unattended, in a public place, but you probably don't care about security if you do that.

For high security (eg. MI5), it could be attached by a chain or cable to the individual.

The hard drive isn't much bigger or heavier than the smartcards being used to encrypt some notebook's hard drives. Plus, it's a MUCH BETTER solution.

Airplane

So wait .. the whole point of a laptop is portability. Why not have critical data on a server or desktop instead of on a laptop?

I suppose if the device allowed usage of the laptop outside the building but disallowed access to certain files deemed critical .. that would be nice.

In Soviet Russia

[myukew]

In Soviet Russia people encrypt the satellite's data not the other way round

GPS inside?

[nessdog]

Has anyone given a thought to the fact that the GPS signal is weak and wont penetrate a building. They would have to install somesort of repeater system or psudolites.

Re:GPS inside?

[silentmusic]

Actually I think that the first people do to something about it are all rich now. Look at what qualcomm paid for snaptrak.

Just search for "indoor gps" on google. This is a hot area right now.

Dongle hell

[famouswhendead]

I absolutely hate dongles... Lose it and it becomes a really tedious operation to get a dongle back from the manufacturer. (YES sir we do believe who you are but we will need verification, please send your first born and a pint of your blood please)

Not another dongle!

Hell, dongles were used for copy protection long ago, and people despised them. Now someone's trying to introduce them again? We already know they're a pain in the ass.

GPS is extravagant for most applications.

[thegnu]

You could just embed transmitters in the walls. That would do the job for businesses trying to keep their hardware on grounds. Although I guess all you'd have to do is steal or reverse-engineer a transmitter before you stole the hardware.

The best solution would be a combination of both, I suppose, a GPS integrated into the system and a wireless boot key. You could even do away with the physical external dongle if you wanted.

The other issue is I would hate the idea of working for a corporation that assumed I was a criminal from the get-go. But I guess most corporations are that way.

RTFA mods :)

"The dongle can be programmed to delete data or shut down sections of the device. Once the computer is removed from the physical zone, the keys are lost or unavailable, and the hard disk is gibberish," Wozniak added.

GPS does not work indoors

Unless you have a veiw of the sky.

Better idea - wireless hardware key-pair

[Se7enLC]

I have a better idea - you build a pair of hardware keys that operate like rfid ID tags, sort of (except that the key would be battery powered and generate different keys based on what it was given for a timestamp - like a secureID card for a vpn).

You'd hang one of these little devices off your belt or on your keys or something. When the laptop is within a few feet of you, you can access the encrypted data. When it's not, you can't. Seems simple enough....now we just have to make sure that nobody gets smart and tapes the device to the laptop (or packs it in their laptop bag).

Should be presence not location

Location based encryption seems like the wrong solution since it removes the one big advantage a laptop has over a desktop, mobility. If you don't want people to carry certain files out of the office on their laptops, make sure those files can't be put on the laptops in the first place.

However, presence based encryption could be interesting. And there are many ways to detect presence most of which are probably more reliable and even work indoors, unlike GPS. Those darned RFID tags in your clothes (finally a use for them), the bluetooth signal from your wireless phone, a removable USB device, a password that has to be re-entered every so often.

Same as...

[Sax+Maniac]

Imagine your laptop screaming 'I'm being stolen! I'm being stolen!' and paging security as the janitor walks out the door with it."

Yawn. It would probably get the same reaction as car alarms do these days: great, some idiot accidentally set off their car alarm again. Where's the coffee?

Do you fly?

[Slashamatic]

Then your laptop goes through security. You may get held up by the search and your latop sits there waiting to be taken. This has happened a few times at airports even though you would think the security area was crawling with personnel and videoed.

Re:Do you fly?

[mpathetiq]

I guess I was not 100% accurate. It rarely leaves my side. Luckily, I have not yet run into an instance where my laptop was left in an unsafe environment for longer than about 5 minutes or so.

My Lappy 486 is treated better than my cat.

Re:Do you fly?

[Slashamatic]

It really is the five minutes that makes all the difference. Actually modern laptops are smaller/lighter but even briefcases get stolen. Unfortunately it seems that the best line of defense is to have a bag that doesn't look like it holds a laptop.

Yawn...

[Fahrenheit+450]

So someone's finally doing something with Dorothy Denning's Geo-Encryption and location based authentication ideas from a couple of years ago.

Wake me when Woz has an original, interesting idea...

Re:Yawn...

[TheLink]

Yeah and Caveman Ogg came up with this idea tens of thousands of years ago. Unfortunately for various reasons it wasn't implemented.

Douglas Engelbart and his team's systems/technologies were way way before their time. Hardly anybody else "got it", or even if they did, they couldn't really make full use of it.

Decades later, people came up with the same ideas but this time the market was ready for their adoption.

Original and interesting ideas are nice, but it can feel like a curse if you have them way too early or lack the resources to implement them.

Stop!

[buss_error]

'I'm being stolen! I'm being stolen!' and paging security as the janitor walks out the door with it."

I've been in offices for many many years. There has been only one time the Janitor Did It, and it was a case of they put it somewhere we wern't expecting.

Can we stop with the steriotype? All of the janitors I have known have been honest, hardworking people that are just trying to make a living. While I a sure there are dishonest janitors around, I sure that like anywhere else the vast majority are not crooks.

Re:Stop!

Can we stop with the steriotype? All of the janitors I have known have been honest, hardworking people that are just trying to make a living.

I don't think it's a stereotype. When people talk about office security, there are inevitably people who look around and go "oh, non of my co-workers are thieves, and nobody else comes into the office, so I don't need to worry about security, the locks on the doors are enough". The janitor example is merely a reminder that they haven't thought it through properly.

Re:Stop!

[rthille]

I don't know that the use of the janitor is meant as an inditement of janitors and their honesty, but rather of society. The reason that janitors are used is because they have opportunity (because they have to to clean) and and due to the inequity in society they can be said to have motive. After all, when you're working around equipment that costs as much as you make in a year, there's more temptation to steal it than if you work around stuff that costs what you make in a day. It's the same reason why people who drive expensive cars don't feel comfortable parking their car in a poor neighborhood.
But you're right, statistically, it's the employee making $80k who thinks he should be making $120k, rather than the janitor making $10k

Re:Stop!

[TomorrowPlusX]

Not to mention that janitors -- being blue collar and generally lower on the social totem pole -- *know* they're the first to be suspected/fired when something goes missing.

Generally speaking the theives are coworkers, with sticky fingers. But usually it's people -- dressed nicely -- who just walk in off the street, looking like they belong, and picking something up and quietly taking off.

We've had a fair bit of the latter where I work.

Re:Stop!

[Erwos]

"Can we stop with the steriotype? All of the CEOs I have known have been honest, hardworking people that are just trying to make a living. While I am sure there are dishonest CEOs around, I sure that like anywhere else the vast majority are not crooks."

-Erwos

Re:Stop!

It's not that the janitors steal things because they are dishonest. It's that thievs can become janitors to gain access to your secrets.

Re:Stop!

[Eraser_]

I think janitors are some of the smartest people around. Who else could trivially pilfer anything in the building and get away with it all these years? Careful planning and manipulation have created a society completely dependent on someone else doing the dirty work. The same thing with this whole computer fad. Systems administrators have total control over your dataflow, much like the janitor controls the paperflow. Janitors have been training people like them, long hours which start early and end late in the night, and who are badgered by everyone to do even the most minor of tasks.

Carefully, sysadmins and janitors will join forces to rule the world.

Is your tinfoil hat OSI network model compliant? Seven layers of tin foil or they might hi-jack your datalink.

Janitor detection algorithm

[titten]

Yeah, yeah... Anyone can use a GPS for what they want.
What impresses me, is how this will detect that the janitor took your laptop.

Wish we had more details

[Andy+Dodd]

The article makes it sound like the system relies partially on security-through-obscurity (the w0zNet thing), but that doesn't sound like something Wozniak would ever think of trying to rely on... He's just too brilliant for that.

I wouldn't be surprised if in addition to a decent amount of obscurity, the system also has plenty of true security, i.e. it would be secure even if every detail of how the system works was known.

Also, the whole GPS thing doesn't make much sense to me. Too easy to spoof an incorrect GPS location at the access point, and most of the time, the dongle itself wouldn't be receiving GPS signals (most office buildings are constructed mainly from metal, the end result is most RF signals don't penetrate the walls. Cell phones barely worked in most areas of the last place I worked, no way GPS receivers would have.)

They're small fry next to the white middle class

[Zhe+Mappel]

Evil, laptop-stealing janitors? The ones who used to eat steak with welfare coupons, and now surf for Russian porn on our Powerbooks and T1 lines?

Well, how else are they supposed to get in on the $300 billion annual orgy of white collar crime? Or use this honcho's services?

GPS indoors?

[uqbar]

I have a 1st generation GPS device so maybe my info is out of date, but it has a hard time getting a location in heavy forest, never mind in a massive concrete and steel building. All this seems like it would rule out most real world applications, so I think something is missing in this story - Woz aint no dummy. Any conjectures?

Secure? I don't think so...

Ok, lets think about it a minute. A "GPS position" can not be used as a "key" directly. The data jumps around, bits changing, constantly. Taking the "position" and finding the delta from the center part of a "zone" will also be jumping/drifting so the bits are not stable enough to use as a key either. That leaves using something like:

if ( fabs(position - zone) < X.max_distance)
load_the_key_for_zone_(X.the_key)

Which just implies that the key exists on the laptop drive, or the dongle, for each zone defined. So, yank the drive, plug it in to another machine, find the key and decrypt the data!

Ok, yea, the key itself might be encrypted but then what do they use to encrypt that? Passwords? We all know how to handle that problem too...

casual classism

Yes, only janitors steal. Esp. if they're black or brown. Notice how you'll never find a Jewish janitor? Otherwise they'd steal, too, believe you me.

I am not Woz

[museumpeace]

but I had an idea like this. When USC and the movie industry started a reasearch consortium two years ago to figure out how to digitally distribute movies to theaters securely, I offered them this suggestion:

1. embed GPS location data in the encryption key
2. build [like tighlty integrated and potted] a GPS reciever into the digital theater playback equipment.
3. scramble the GPS output in some way that is also accounted for in the encryption of the digital movie stream and is unique to the serial number of the playback equipment
4. if the digital copy of the movie is not being decrypted on a playback unit that is in the right place, all you get is a call from the FBI.

I am leaving out a few details here of course ;)
But I never heard back from them...like I said: I am not Woz. This application of location-based encryption does not have the numerous problems many posters have raised concerning location based enabling of functions in a laptop [or any other equipment desinged NOT to have a set location...duh!]. Also, these ideas add cost to anything you apply them to: laptops are commodity items and very cost sensitive but a movie theatre spends gazillions on its [FIXED LOCATION] equipment anyway.

Slashdotters: I can't think of a better bunch of people to share wortless ideas with!

Re:I am not Woz

[museumpeace]

Doris Dennings work cited by other poster might have been seen as prior art...it was 6 years ahead of me. the USC facility I mentioned is on line at http://www.etcenter.org/DCL.asp

burning mod points in defense of the janitors

Poor janitor...

He's been accepted into the US to do a job nobody else wants do do...

He's been instructed to take trash out of the cubicules, an ingrateful task he's been faithfully carrying day in, day out...

Back in his country, he graduated in Computer Sciences, but the civil unstability and the widespread violence and police corruption made him choose the US, hoping to give his kids and family better oportunities and living standards...

One day, after everyone has left the office, he sees a stray laptop running XP. It was loaded with viruses and had no firewall, a fact he deduced by the large number of windows popping up spontaneously, pushing penis enlagement pills. "Poor guy", the janitor concludes, "He just can't get any work done". Eager to impress, taking a proactive action, using his knowledge of CS and IT, he takes that laptop into the trash bin, since no one should be forced to use that s****...

"I've done something good today" he tells his wife, ater his shift is over, when he's back home. He enjoys a nice dinner and sees his kids play and goes asleep. He's happy and all the hard time he's endured back in his 3-rd world country is just a faint impression left in the back of his mind.

Next morning the local police pays him a visit. They did not lock him up, though, but he's promptly fired from the company he used to work for and now faces a legal suit by the previous owner of that laptop.

He finds out that he cannot get a job elsewhere, given the increased xenophoby after 9-11. Yeah. The janitor learned, in the harsh way, how people is ingrateful. Poor janitor. It's always the janitor.

Why so complicated just to make it 'not work'

Why not just use WiFi to distribute keys to authenticated users near by? If you move to another WiFi location the key is different, or just absent. Just leave the WiFi non-"dongle" locked in your file safe so the key is not available when your laptop is not at work, or in your pocket/keychain so the laptop only works when you are physically near by.

Can you image

a beowulf cluster of stolen laptops!

Similar to an idea I recently had

[K-Man]

I was thinking it would be nice if my iBook could auto-recognize my home hub and auto-login there. Outside the "zone", it could default back to login-on-wake. Coupled with the various options for encrypting my home directory, etc., this could be similar to what Woz is proposing.

Of course, I haven't sat down to figure out the cryptological protocol needed. For the average thief, a simple insecure method would probably work.

How long till this is applied to people?

[multiOSfreak]

Every time I hear about this kind of cool tech, my mind immediately kicks into conspiracy gear. You know the US government is going to be interested in this type of tracking, probably for people. Especially, you know, "enemy combatants" within US borders.

Commence with the tin-foil hat jokes.

i think there on the right track...

[Legato895]

i think location based encryption IS the way to go becaue its essentially getting to the very root of the problem, that is, access of encrypted information outside of the company. while something such as gps is maybe not as hack proof as it could be, why not just bombard the structure with signal that the pc could read and realize its in the building. copper mesh coat the walls and there you have it. the signal could be anythign from radio to wifi, mix it up, have it synced with the laptop and alway changing.

Okay

[pjt33]

> nw

It is dark. You might be eaten by a grue.

Lots of peoples missing point

[foniksonik]

If this is about encryption it has nothing to do with the laptop being stolen and everything to do with the data being stolen.

Forget about how easy it is to unplug/shutdown said laptop and leave.. obviously it's quite easy.

What this would do is to only allow decryption of the data stored on that laptop while within the vicinity of the approved location.

Anywhere else and the data is encrypted. sure you can wipe the drive, but that is what they want you to do anyways...

And yes people do store sensitive data on their laptops.. plenty of business men have very sensitive financial information stored on their laptop and typically they do encrypt it but this system would make that encryption just a little more secure by salting the method with the GPS data.

Sci-fi comes true again

[zoeblade]

This sounds a lot like Akili Kuwale's encryption method in Greg Egan's novel Permutation City. It's always good to see sci-fi coming true :)

bigotry against janitors

sorry, folks, you are bigoted against janitors. you need to realize that theft of office material is more likely from rich people who know they can just blame it on the janitor, and use the inherent classism and bureaucratic infighting of the workplace to get away with it.

no janitor i have ever met would steal a laptop. maybe a little cash, maybe a coca cola. but a laptop? they know all sorts of hell would break loose and that they would be the primary suspects. furthermore, it would be wrong.

get off your high horse. how many of you stole thousands of dollars of software or movies in the name of 'education'?

Janitor?

[ZappaSoft]

Why you all over Janitor's video controller?

umm imagine this

"Imagine your laptop screaming 'I'm being stolen! I'm being stolen!'"

Imagine me ripping out the battery first then formating my new laptop

"PAUL ALLEN WAS HERE!"

[Saeed+al-Sahaf]

Wozniak was the Paul Allen to Job's Bill Gates, and much like Allen, Wozniak has dabbled here and their, with no truly successful financial venture yet. That doesn't mean he's worthless

Wow. You don't live in Seattle, obviously. Otherwise you would have more knowledge about some of the very big things that Paul Allen has his fingers in (and I don't mean EMP). Thing about Allen is that he doesn't seek out the spotlight, so his many ventures don't have "PAUL ALLEN WAS HERE!" plastered all over them.

Re:"PAUL ALLEN WAS HERE!"

I lived in Seattle for a few months, during which time EMP opened. I recall that someone paid for the municipal busses to have painted on the side, /en espanol/ for some reason, "Thank you, Paul Allen, for EMP!"

Gods, that was nauseating, even though I even admit that I rather liked EMP itself...

blech...

[Morphine007]

Imagine your laptop screaming 'I'm being stolen! I'm being stolen!' and paging security as the janitor walks out the door with it."

myes.... and imagine the look on the face of your boss when he realizes that by "working from home", you really meant working from the strip club ;-)

Re:blech...

[taradfong]

I dunno, I'd admire the dedication that he brought his laptop *everywhere*.

hidden RFID providing secret

[a1bert]

i do not care HW but I care my data, what about asking hidden rfid (it's small, it can be hidden well) for secret key ......

Encryption can only go so far...

Encryption systems can only do so much to protect data. The problem is that there is always, always the human factor. People in general are not always aware of what they are doing, especially with computers.

People will forget to activate encryption protocols, or even unknowingly deactive them. Even without that, a wise enough information theif will know ways to make a target actually give him information.

I'm not saying that encryption is unnecessary, it has a purpose. But it's kind of like the old saying: "Locks will only keep out the honest criminals."

My defense against my laptop being stolen...

[allanc]

It's a piece of crap.

Seriously, the PS/2 controller chip burned out, so it no longer has a working trackpad, and the cover over the RAM got lost. I suppose someone could steal one of my exposed SO-DIMMs, but one of those doesn't work (I've been too lazy to try to figure out which), so it's 50/50 that I'd be fine anyway.

All this and it's only a 400MHz PII, too.

--AC

"Save me, Jimmy!"

[jaywood]

Imagine your laptop screaming 'I'm being stolen! I'm being stolen!' and paging security as the janitor walks out the door with it."

Good, because that worked so well for the flute in H.R. Puffenstuf

A better solution for location awareness...

[kazzaerexys]

There is a company called DAT that is developing a technology that does (1) non-GPS based location awareness and (2) strong non-algorithmic random numbers. There technology is accopanied by a security framework that allows for all sorts of configurations, particurly dynamic access level based on verifiable location.

Anyone who is interested in this thread should go check out their site. Very interesting stuff!

K.

MOD PARENT UP

[taradfong]

Thank you. It took 15 posts before someone actually got it.

This isn't new

[codewritinfool]

Dorothy Denning proposed it back in 1996, I think.

Re:w0z is a nutjob at best...

[Keith+Handy]

Never underestimate how knowledgeable you can become by watching a movie. ;)

Now available with contrast

http://shit.slashdot.org/article.pl?sid=04/12/03/1 47226

Does in work?

Doesn't think GPS work indoor...

Re:Does in work?

[shadowsurfr1]

As long as there's a signal to a bunch of satellites in space or event units in the building acting as satellites, it should be fine with the right hardware and software.

Re:You make me sick

[otterpop378]

I don't know though... Every janitor that i've ever known has been married / had a significant other. Can't say the same for IT staff... and who says the bad guys would bribe with money anyway?

A case of jolt cola, a couple of pr0n dvds... the whole data center can be yours.