Slashdot Mirror
Location-Based Encryption
davidwr writes "Eweek reports Apple co-founder Steve Wozniak has a new way to prevent theft of company secrets on stolen laptops: 'Wozniak offered a peek into his vision for the company on Ziff Davis Media's Security Virtual Tradeshow, where he introduced "wOz Location-Based Encryption," an application that uses GPS tracking within a wireless hub to encrypt and decrypt sensitive data for large businesses.' Today's encryption is good enough but I do like the tracking capability. Imagine your laptop screaming 'I'm being stolen! I'm being stolen!' and paging security as the janitor walks out the door with it."
All GPS devices I've come across simply stream out NMEA data from a serial port (or over a bluetooth connection). What would stop someone that really desperate to get the data from hacking the GPS module or the dongle so they can stream in their own forged (or recorded) NMEA data which reports the laptops current position to be where they stole it from (after all, they should remember)? Usually anything these days that requires a GPS uses a standard GPS module, and at some stage, the position data from it ends up in an interceptable form on the edge interface of some module. Hardly bulletproof security?
Our diversity is our strength
What if they had that for cars? Imagine someone tries to steal one and an alarm goes off! Everyone will pay attention and call the police right away. Car theft will be a thing of the past for sure...
Or does it?
In Soviet Washington the swamp drains you.
Some though would have to be applied to this, but a GPS system in your car that alerts you if some operational parameters are crossed would be nice.
"Hey, I'm being towed away from the parking garage, even though my keys are more than 100 yards from me"
...yup...
Zztxt Flrqtp fnz p47eltnzd.
Oh, I'm sorry, you need to move two steps to the left.
It seems like the real risk would be when you are on-site, traveling, etc. As a consultant, my laptop never leaves my side. I'd hate to have to "check out" every time I left the building. Also, I don't think I would like my employer having the possibility of tracking my every movement. Sure, you could turn off the tracking, but then you've lost the security as well.
Post-rock/Ambient/Drone and other noise.
...thieves put stolen laptops in bags lined with aluminium foil. (can also be used for hats)
I'd like to clarify a tad... GPS's aren't specific enough and can be inaccurate enough to make this not perfect security, like is always claimed with NEW AWESOME PRODUCTS! Traingulation may not be perfect either, but it might be a better lead to "only the boss gets internet in the boss's office" type things.
Reality is nothing but a collective hunch.
Does anybody else see a problem with a laptop you can't use outside of the office?
It's not like you'd buy a laptop so you could TAKE IT WITH YOU and work outside of the office, or anything..
Ok, may be I'm missing something, but wouldn't a simple shut down get rid of this 'feature'?
And before you tell me how you can't shut it down without the apropriate password: Unplug / get rid of the battery. If you're stealing the notebook, why would you mind turning it off? After all, there'll be plenty of time back home to retrive the data.
Error! Unable to open file!
In order to open this file you must move 3 metres northwest of your present position
This has come up before- here is a link to a 2001 Wired article about the British intelligence services using laptops with ``a built-in electronic self-destruct mechanism that erases a laptop's hard drive if the case is opened by force'' when a code is forgotten, as well as ``a tracking feature that allows a computer gone astray to call home." This was after a spate of embarrassing episodes where laptops with lots of important info went missing. I don't know if it's been implemented but this does seem to have some interesting applications, potentially...
It's psychosomatic. You need a lobotomy. I'll get a saw.
I was always under the impression that laptops were supposed to be mobile (but maybe that's just me)...
It seems like this would be more useful for company systems that have highly proprietary, sensitive data on them that you wouldn't want moving around. I could see a very nice, dual G5 screaming "I'm being stolen" as the janitor carts it out with his supplies (though how it does that without a power source is beyond me, I guess you would need a secondary power source just for this system).
Also, and I'm really not trying to start a flame war here, but first, what's wrong with a janitor having a laptop, and why assume that it's a janitor stealing the laptop? I would guess that it's a disgruntled employee or just-fired employee (that's not properly escorted out) that would pull a stunt like that. And I would think that laptops are stolen from public places like libraries and parks rather and work places where I think a system like this might not be as useful.
Laptop: "I'm being stolen! Security guys, help!"
[Security guy shows up, gun drawn]
Security guy: "You there! Hands up"
Innocent guy: "But, I'm just bringing Bob's laptop over to him in building 4!"
I do like the idea, however, even though it may have issues. You could also use a wireless signal that pervades your company that is used as a key to decrypt.
"Throughout the entire process, Wozniak said the encryption key is controlled in a central location through a secure transmission. Because the wOz Platform and the wOzNet network are proprietary, he said it is not open to Wi-Fi spoofing or password sniffing."
proprietary != secure from sniffing
I wonder if it's based on the current wireless encryption or if it's something completely new.
There are 10 kinds of people in the world; those that understand binary and those that do not.
IBM Thinkpads have had RFID in them for a while now, to prevent them being taken out of specific areas.
Like tinyurl, but one letter less! http://qurl.co.uk/
i like the idea of this. just so i can find stuff after i put it down somewhere...
This is hardly feasable. However, it *is* possible to construct your TxRx that can lock your equipment to the area. But if you're that serious about locking something down, why not just use a mainframe and some dumb terminals?
This could only possibly work with other layers of security - GPS data isn't what I'd choose unless you can afford to launch some slightly more "useful" satellites of your own. Those sattelites would have to encode a sort of "encrypted timestamp" into the their data, so that that you can be *sure* your position is accurate, and not injected into the system.
Of course, this is also fakable, but at much more expense and pain. I'm sure even more elaboration could possibly yield something. Maybe adding a tuner that looks for TV/radio local station carriers, blah-blah-blah
Why can't all fpga/microcontroller manufacturers just release free optimizing compilers???
A few years ago, a securtity head-honcho at my company gave a presentation about keeping confidential documents off our desks, because "you never know when the janitors can come in and just swipe it out with them. I know they don't speak Englis, but it doesn't take a lot to swipe stuff off a desk..."
I've had my fair share of stuff stolen, and it's never been a janitor.
Watch the Teaser Trailer for "The Lightning Thief" Her
So... how easy is it to spoof a GPS signal?
SteveB.
I seriously doubt they would use only GPS data as an encryption key. Likely the dongle is doing challenge-response interactions with the wireless hub, and certain actions get triggered when the hub is no longer in wireless range.
I don't see how this system will stop theft of data. If you want to steal the data just copy the data and leave the machine there.
I can see the security department scratching their heads while saying "who would have thought of putting all that data on a floppy disk"!
99 bottles of beer in 175 characte
I am somewhat ignorant Woz's plan, but does this not remind anyone of DVDs not being able to be played outside of specified regions? How do we know the same thing won't happen?
-- (Score:i, Imaginary)
It's not a big deal to spoof. All you'd have to do is build a couple small GPS-emulator transmitters and aim them at the device, and have them tell the device that its sitting its comfortable office environment 5,000 miles away.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
True, very true...
Also one should note that in most cases, when someones steals a laptop, it is for the laptop itself, and they couldn't care less for the data on it...as long as they can download the corresponding drivers later on...
One the laptop get sold, it'll suffer a quick reinstall. and the security dongle will become a nice high tech keychain 8)
+ This system assumes I have a physical access to the machine...
If I have physical access to the machine (usually you find them plugged into the network, and no screensaver password...) all I have to do is either install a quick soft from the net or from the cd/usb key I have with me...
Keylogger/bot/zombie/spyware/remote desktop... I can do whatever I want...and your security is breached...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
I've been playing with a high-end GPS device recently, and the first thing I learned was that you can forget about getting a reading indoors. So how will this device work when there is no GPS reading in the office???
Wozniac is a nutjob no doubt about it. He'd still be a legend, though, even if it weren't for Apple. He was an early phreaker, and a good friend of John Draper - Cap'n Crunch for gods sake! He was an important figure in the Silicon Valley hobbyist community, and even if he hadn't done either Apple or phreaking he'd still be a footnote in the big book of commodity PCs because of that. Certainly more than you or I can claim.
He and Jobs didn't start their relationship selling computers together - they originally sold blue boxes. Woz still works for Apple, mostly as a consultant, and he and Jobs still collaborate (though Woz has claimed that on many occasions Jobs credits him with ideas that he had minimal participation in).
Since leaving Apple he's been as much a humanitarian with his skills and money as Bill Gates (though in smaller absolute amounts). He personally provides free tech support for the local school system, and (at least when System 8 was still cutting edge) held computer classes for preschool and elementary school kids. He's sponsered charity concerts, and more.
Problem with Wozniak is he has a great technical mind, a wonderful sense of playfulness, and even a good sense of what users want in products, but his business sense is poor. That's why there hasn't been as much output from Woz since leaving Apple - their hasn't been a Steve Jobs. Wozniak was the Paul Allen to Job's Bill Gates, and much like Allen, Wozniak has dabbled here and their, with no truly successful financial venture yet. That doesn't mean he's worthless
With my experience with GPS. They tend not to get a signal unless you are outside and have a clear view of the sky. When Driving in tunnals, or a road with a thick covarage of trees I tend to loose signal. And I have never got it to work while I was inside my apartment. Most people tend to use Laptops inside buildings and a lot of them are not nessarly near windows or have the window shades open (the heat of an afternoon sun in summer is pritty bad). So for most cases this will not work because they cannot get a GPS signal.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Will Bill Gates soon be inventing a product with the Acronym "B.I.L.L" for the product name?
99 bottles of beer in 175 characte
Why do I see this as new GPS game-- find the hidden PC and try to find the hotspot to de-encrypt the secret message??? Coming to reality TV near you (sort of near, or as close as GPS can)
# nohup
Imagine that your WEP gets encrypted with a key dependent on your location. A large company could enable campus-wide WIFI, but you would only be able to get on the network if you are inside one of the buildings. Not the ultimate protection, but one extra barrier.
10 ?"Hello World" life was simple then
Yes, but he's not talking about putting a GPS on the serial port.
What he's talking about is something closer an iButton dongle that would only work at a particular position. This will communicate with a wireless infrastructure that will provide the key to unlock data.
How GPS figures in is not entirely clear from the article, but it appears to be a kind of two factor security: you can get to your data if (a) you are in the presence of an authorization agent and (b) you are in the right geographic place. In effect you will be able to say that a particular memo is only readable on campus. You can't take it home with you, for example.
My guess is that the GPS is attached to the authorization agent, not the laptop. For one thing, it's rare to get any kind of GPS coverage inside buildings. The reason for this is that it would prevent you from stealing the authorization agent as well as the data on the laptop. Again I'm guessing, but you'd run a coax cable to an outside antenna. As you point out the NMEAstring is childishly simple to fake, but the actual radio signal would require building special hardware and software to fake.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
some companies have these blocked on their pcs. Nobody blocks floppies though.
99 bottles of beer in 175 characte
...So THATs how the temple knew that they were stealing the holy grail! Always wondered how they did that.
-d
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
Isn't the point of a laptop that are designed to be mobile? And if you want to restrict the mobility wouldn't it be easier to attach a network cable & lock to it instead of this fancy encryption?
Or if it is to be used in 2 places use 2 desktops? what am i missing?
Ok, this is no solution for the boss who must have the most fancy laptop there is to see the best screensaver. (dilbert)
Cut and break 'top to pieces. Pick the hard drive from the rubble.
There you are, staring at me again.
Hasn't Apple already solved this problem?
I would imagine this would get the same immediate response from law enforcement and concerned citizens that a blaring car alarm gets right now.
Proud neuron in the Slashdot hivemind since 2002.
Countermeasures to laptop theft are really getting stupid at this point.
Put 2.5" HDDs in a bit of a caddy to protect it, then you just pull it out and put it in your pocket. Notebooks could be made so that they pop the HDD out when the lid is closed, it is shut-down, or put into standby, and beep after a few seconds if the HDD hasn't been removed.
This won't help immensely if you leave your laptop running, with an open lid, unattended, in a public place, but you probably don't care about security if you do that.
For high security (eg. MI5), it could be attached by a chain or cable to the individual.
The hard drive isn't much bigger or heavier than the smartcards being used to encrypt some notebook's hard drives. Plus, it's a MUCH BETTER solution.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Has anyone given a thought to the fact that the GPS signal is weak and wont penetrate a building. They would have to install somesort of repeater system or psudolites.
Unless you have a veiw of the sky.
I have a better idea - you build a pair of hardware keys that operate like rfid ID tags, sort of (except that the key would be battery powered and generate different keys based on what it was given for a timestamp - like a secureID card for a vpn).
You'd hang one of these little devices off your belt or on your keys or something. When the laptop is within a few feet of you, you can access the encrypted data. When it's not, you can't. Seems simple enough....now we just have to make sure that nobody gets smart and tapes the device to the laptop (or packs it in their laptop bag).
Yawn. It would probably get the same reaction as car alarms do these days: great, some idiot accidentally set off their car alarm again. Where's the coffee?
I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
Then your laptop goes through security. You may get held up by the search and your latop sits there waiting to be taken. This has happened a few times at airports even though you would think the security area was crawling with personnel and videoed.
So someone's finally doing something with Dorothy Denning's Geo-Encryption and location based authentication ideas from a couple of years ago.
Wake me when Woz has an original, interesting idea...
-30-
I've been in offices for many many years. There has been only one time the Janitor Did It, and it was a case of they put it somewhere we wern't expecting.
Can we stop with the steriotype? All of the janitors I have known have been honest, hardworking people that are just trying to make a living. While I a sure there are dishonest janitors around, I sure that like anywhere else the vast majority are not crooks.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Yeah, yeah... Anyone can use a GPS for what they want.
What impresses me, is how this will detect that the janitor took your laptop.
The article makes it sound like the system relies partially on security-through-obscurity (the w0zNet thing), but that doesn't sound like something Wozniak would ever think of trying to rely on... He's just too brilliant for that.
I wouldn't be surprised if in addition to a decent amount of obscurity, the system also has plenty of true security, i.e. it would be secure even if every detail of how the system works was known.
Also, the whole GPS thing doesn't make much sense to me. Too easy to spoof an incorrect GPS location at the access point, and most of the time, the dongle itself wouldn't be receiving GPS signals (most office buildings are constructed mainly from metal, the end result is most RF signals don't penetrate the walls. Cell phones barely worked in most areas of the last place I worked, no way GPS receivers would have.)
retrorocket.o not found, launch anyway?
Well, how else are they supposed to get in on the $300 billion annual orgy of white collar crime? Or use this honcho's services?
I have a 1st generation GPS device so maybe my info is out of date, but it has a hard time getting a location in heavy forest, never mind in a massive concrete and steel building. All this seems like it would rule out most real world applications, so I think something is missing in this story - Woz aint no dummy. Any conjectures?
-
embed GPS location data in the encryption key
- build [like tighlty integrated and potted] a GPS reciever into the digital theater playback equipment.
- scramble the GPS output in some way that is also accounted for in the encryption of the digital movie stream and is unique to the serial number of the playback equipment
- if the digital copy of the movie is not being decrypted on a playback unit that is in the right place, all you get is a call from the FBI.
I am leaving out a few details here of courseBut I never heard back from them...like I said: I am not Woz. This application of location-based encryption does not have the numerous problems many posters have raised concerning location based enabling of functions in a laptop [or any other equipment desinged NOT to have a set location...duh!]. Also, these ideas add cost to anything you apply them to: laptops are commodity items and very cost sensitive but a movie theatre spends gazillions on its [FIXED LOCATION] equipment anyway.
Slashdotters: I can't think of a better bunch of people to share wortless ideas with!
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
I was thinking it would be nice if my iBook could auto-recognize my home hub and auto-login there. Outside the "zone", it could default back to login-on-wake. Coupled with the various options for encrypting my home directory, etc., this could be similar to what Woz is proposing.
Of course, I haven't sat down to figure out the cryptological protocol needed. For the average thief, a simple insecure method would probably work.
---- "If we have to go on with these damned quantum jumps, then I'm sorry that I ever got involved" - Erwin Schrodinger
Every time I hear about this kind of cool tech, my mind immediately kicks into conspiracy gear. You know the US government is going to be interested in this type of tracking, probably for people. Especially, you know, "enemy combatants" within US borders.
Commence with the tin-foil hat jokes.
Transistors and Beer!!
i think location based encryption IS the way to go becaue its essentially getting to the very root of the problem, that is, access of encrypted information outside of the company. while something such as gps is maybe not as hack proof as it could be, why not just bombard the structure with signal that the pc could read and realize its in the building. copper mesh coat the walls and there you have it. the signal could be anythign from radio to wifi, mix it up, have it synced with the laptop and alway changing.
It is dark. You might be eaten by a grue.
If this is about encryption it has nothing to do with the laptop being stolen and everything to do with the data being stolen.
Forget about how easy it is to unplug/shutdown said laptop and leave.. obviously it's quite easy.
What this would do is to only allow decryption of the data stored on that laptop while within the vicinity of the approved location.
Anywhere else and the data is encrypted. sure you can wipe the drive, but that is what they want you to do anyways...
And yes people do store sensitive data on their laptops.. plenty of business men have very sensitive financial information stored on their laptop and typically they do encrypt it but this system would make that encryption just a little more secure by salting the method with the GPS data.
A fool throws a stone into a well and a thousand sages can not remove it.
This sounds a lot like Akili Kuwale's encryption method in Greg Egan's novel Permutation City. It's always good to see sci-fi coming true :)
Why you all over Janitor's video controller?
Wow. You don't live in Seattle, obviously. Otherwise you would have more knowledge about some of the very big things that Paul Allen has his fingers in (and I don't mean EMP). Thing about Allen is that he doesn't seek out the spotlight, so his many ventures don't have "PAUL ALLEN WAS HERE!" plastered all over them.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Imagine your laptop screaming 'I'm being stolen! I'm being stolen!' and paging security as the janitor walks out the door with it."
myes.... and imagine the look on the face of your boss when he realizes that by "working from home", you really meant working from the strip club ;-)
Oh god, that woman is John Romero!
i do not care HW but I care my data, what about asking hidden rfid (it's small, it can be hidden well) for secret key ......
It's a piece of crap.
Seriously, the PS/2 controller chip burned out, so it no longer has a working trackpad, and the cover over the RAM got lost. I suppose someone could steal one of my exposed SO-DIMMs, but one of those doesn't work (I've been too lazy to try to figure out which), so it's 50/50 that I'd be fine anyway.
All this and it's only a 400MHz PII, too.
--AC
Imagine your laptop screaming 'I'm being stolen! I'm being stolen!' and paging security as the janitor walks out the door with it."
Good, because that worked so well for the flute in H.R. Puffenstuf
There is a company called DAT that is developing a technology that does (1) non-GPS based location awareness and (2) strong non-algorithmic random numbers. There technology is accopanied by a security framework that allows for all sorts of configurations, particurly dynamic access level based on verifiable location.
Anyone who is interested in this thread should go check out their site. Very interesting stuff!
K.
Thank you. It took 15 posts before someone actually got it.
Does it hurt to hear them lying? Was this the only world you had?
Dorothy Denning proposed it back in 1996, I think.
Never underestimate how knowledgeable you can become by watching a movie. ;)
-- -Keith
As long as there's a signal to a bunch of satellites in space or event units in the building acting as satellites, it should be fine with the right hardware and software.
I don't know though... Every janitor that i've ever known has been married / had a significant other. Can't say the same for IT staff... and who says the bad guys would bribe with money anyway?
A case of jolt cola, a couple of pr0n dvds... the whole data center can be yours.