Security Basics mailing list archives
Re: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops?
From: Dave Patterson <sdpatt2 () gmail com>
Date: Tue, 13 Jun 2006 23:48:39 +0700
* Mike Foster <mike () mytechcoach com> [2006-06-12 20:48:45 -0400]:
In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops? Am curious how all of you feel about the options. How do you feel and/or what is your experience with: --Power-on passwords in the hardware/CMOS/BIOS Setup
The Hardrive can be removed from the slab and spoofed elsewhere
--Hard drive locking passwords in the hardware/CMOS/BIOS Setup
Same thing..
--Laptops equipped with fingerprint readers for the above two options
Same thing..
--Windows NTFS EFS encryption
What? Does Windows actually do what they say they do? I can't see the code, so I don't trust it.
--TrueCrypt from www.truecrypt.org for encrypted storage areas
No experience with that.
--Trusted Platform Module (TPM) https://www.trustedcomputinggroup.org
No experience with that, either
--Tokens that plug into USB
An encrypted file placed there would leave traces in RAM and on the disk of said file. As a key, now, it would work to decrypt the entire hardrive
--Others?
I use an x86 based laptop running Debian GNU/Linux thusly: Prior to system installation, the entire drive was filled with random data, then a small partition was made at the beginning of the drive, unencrypted, that contains a boot routine and a kernel. The kernel is used to write all data to the remainder of the disk, encrypted, and decrypt the data on the way out of the disk. The kernel only knows how to do this because I have set the proper switch at boot time with a passphrase. The encryption algorithm is strong, and a modern journaling filesystem is run over the top of it. Speed is very good, no problems with any desktop apps. The unencrypted portion of the disk is regularly checked using md5sum matches and other utilities using cron jobs and powerup routines. If the bad guys get it, they'll have a helluva time getting anything useful out of it... -- Cheers, Dave
Current thread:
- Re: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops?, (continued)
- RE: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops? Sadler, Connie (Jun 13)
- Re: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops? Bryan S. Sampsel (Jun 13)
- Re: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops? Dave Patterson (Jun 13)
- Re: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops? Brian Daniel Beck (Jun 13)
- RE: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops? Robertson, Seth (JSC-IM) (Jun 14)
- Re: Re: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops? michal (Jun 26)