Laptop security: Apple vs. [Insert name here]
My Mac was stolen, and I used Find My Phone to lock it immediately. A week later, the thief opened the device, and sure he can't access it.
After two weeks, I lost my hope, sure I won't be able to get it back, so I decided to activate the Eraser.
Just an hour ago, I received the notification that the device erasing process has started.
I lost my device and all my data but not my privacy. And I found on Apple support forums that the device will remain locked as long as it still listed in my Find My Phone.
Now I'm planning to buy an x220 and get back to Linux. I was wondering how can I secure a Linux laptop and make it (somehow) harder for the thief to access my stolen device just like Apple did.
Do you have any experience with this? Do you mind to share?
[+] [-] ePierre|9 years ago|reply
The solution to your problem is data encryption. On Linux, there are different levels of data encryption, whether you want to encrypt the whole hard drive or only the /home partition (where all of your private files will be stored).
The ArchLinux Wiki has a very detailed page [1] about all the available options for disk encryption.
Regarding Ubuntu, when you install it on your system, it will ask if you want to encrypt your /home partition [2] or your whole disk [3].
I got my laptop stolen in France last summer, and as much as this was a pain in the ass, at least I didn't have to wonder if the thief had access to my private data (photos, documents and the like) since the /home partition was encrypted. Hell, the thief probably had a WTF moment when (1) he discovered it was not a French version of Windows but an English version of Ubuntu running and (2) when he discovered it was a Taiwanese laptop with this keyboard layout [4]. Good luck to sell that on the French black market :)
[1] https://wiki.archlinux.org/index.php/Disk_encryption
[2] https://www.howtogeek.com/wp-content/uploads/2012/06/ximage8...
[3] http://www.tecmint.com/wp-content/uploads/2016/02/Ubuntu-16....
[4] https://c1.staticflickr.com/8/7501/16104079539_00c39c200d_b....
[+] [-] richardjs|9 years ago|reply
One standard approach is to set up full disk encryption. A common setup would encrypt every partitions but your /boot partition, so a thief would be unable to access your system if it were powered off. (If you're especially cautious, you can do tricks to protect your /boot partition too, to guard against tampering, but that's beyond the scope of protecting against theft.)
The catch is if the thief steals your powered-on laptop, the system's still decrypted (meaning, the decryption key is still in memory). I'd guess locking your machine is a partial guard (and is what I rely on), but I'd be interested in learning if there's a better method of protection.
ArchWiki has a pretty good overview: https://wiki.archlinux.org/index.php/Disk_encryption. I'm happy to try and answer any questions you have.
[+] [-] hackuser|9 years ago|reply
1) > The catch is if the thief steals your powered-on laptop, the system's still decrypted
I think the key distinction is if a laptop's storage is encrypted if it's in some sort of sleep or lock mode. AFAICT most people's laptops are rarely completely off; they either are fully on, asleep, or sometimes locked.
Solutions that secure data only when the laptop is fully off seem almost useless to me; in practice the data rarely is encrypted. Do you know of solutions that address this issue?
2) What about Self Encrypting Drives (SEDs), which encrypt at the hardware level usually by using the industry standard (AFAICT) Opal?
https://www.trustedcomputinggroup.org/storage-work-group-sto...
3) File-level encryption, rather than volume level, would seem to solve the problems in #1. Files are decrypted only when they actually are in use; otherwise they are secured. Therefore on most systems, most data files are secured most of the time. The problem is how to efficiently enter credentials for every file, or every batch of files, the user opens: Type a password every time? What about databases or email (e.g., stored 1 file/msg such as in maildir)? Keep the key on a USB drive that must be inserted and, only when first inserted, authenticated with a password?
Do you know of file-level solutions?
4) The problem with every solution is implementation. Security is very hard to implement, and requires high quality execution to avoid exploits. How do I know that the vendor did it correctly?
[+] [-] bo1024|9 years ago|reply
To step back for those who aren't familiar, disk encryption is not at all like Apple's remote locking feature and does not require you to activate it remotely or something like that. It just means that the data on your hard drive is stored encrypted ("scrambled") so that it cannot be read without a password that decrypts it. When you power on the computer, you provide the password, but a thief who doesn't know that password can't decrypt it.
Also there is no need for a remote erasing feature because the encrypted data is as good as erased for someone without the password. (This all assumes you use a secure enough password.)
This is actually more secure than Apple's remote lock in many ways because the remote lock can be avoided by preventing the device from ever accessing the internet or possibly bypassed by removing the hard drive and accessing it using some other computer. (There are protections that prevent this in the iPhone case but I don't know about Mac laptops, don't think so).
[+] [-] lorenzhs|9 years ago|reply
In any case, if you're coming from a MacBook, you're going to hate the x220's display. It's atrocious, with terrible colours and brightness. It's also a SATA2 device, so a modern SSD won't be able to reach anywhere near its full performance. Unless your budget is around $200 I wouldn't recommend such an old machine. But if you do go down that route, you might like r/thinkpad on reddit. Plenty of people there who mod these old devices and have advice on modernising them.
[+] [-] Loic|9 years ago|reply
So, to login/unlock, I type in my password, plug the Yubikey and press the button. This ensures I have a really strong password.
Because if your password is "1234password", all the provided solutions are of no real use.
[+] [-] zhovner|9 years ago|reply
But I can't add my custom shell script into Safari Mode because of macOS SIP (system integrity protection) that I don't want to disable. Also every major update overwrites changes on boot partition.
I would appreciate for any help with this project. My goal is to build some kind of computrace for macbooks that will be much useful that current Find My Mac.
[+] [-] renaudg|9 years ago|reply
That's not quite true. IIRC, even without a GPS module, macOS sends a list of nearby WiFi APs to the geolocation API, which usually allows for a pretty accurate response (the same you'd get on an iOS device indoors without GPS reception)
[+] [-] Intermernet|9 years ago|reply
Open source, cross platform.
[+] [-] anonova|9 years ago|reply
[+] [-] peterwwillis|9 years ago|reply
If you want to be super paranoid, add a keychain usb stick as a required key to decrypt the filesystem so you get 2-factor authentication.
[+] [-] yjftsjthsd-h|9 years ago|reply
If you do this, make sure to have a backup! Flash drives don't last forever, and are easier to lose than a laptop.
[+] [-] cpbotha|9 years ago|reply
The open-source msed tool has now been renamed to sedutil see https://github.com/Drive-Trust-Alliance/sedutil but it still works the same way.
It would still be possible for a sufficiently advanced thief to secure erase the drive (they need to know how to use TCG Opal to do that), but they will never see your data.
[+] [-] fencepost|9 years ago|reply
Samsung 840 & 850 drives (EVO and PRO)
Crucial MX100 and MX200, but NOT BX100
Sandisk X300s
Kingston KC300
OCZ ARC 100
OCZ Radeon R7
OCZ Vector 180
PNY CL4111
Intel 520 series (128-bit only? Old model)
Intel 530 series (old)
Intel 535 series
Intel 730 series
[+] [-] pokemongoaway|9 years ago|reply
[+] [-] locusm|9 years ago|reply
[+] [-] pokemongoaway|9 years ago|reply
[+] [-] vinay_ys|9 years ago|reply
On the Linux OS itself, follow good personal security practices - use strong password, use 2FA (see FIDO devices like YubiKey), disable unnecessary services, install software downloaded from trusted, well-reviewed sources only etc. If you did the HDD encryption above, there is no need to do filesystem encryption again in Linux.
[+] [-] hackuser|9 years ago|reply
The parent is referring to Self Encrypting Drives (SED), AFAICT. I looked into them a little recently, but I'm not an expert. Consider the following only a starting point:
Beware that not every SED tech is equally secure; some are easily bypassed. The industry standard, and the one I would depend on, is Opal. It usually requires tools in the OS to activate, but I would be surprised if those tools weren't available for major Linux distros.
https://www.trustedcomputinggroup.org/storage-work-group-sto...
Microsoft provides something called eDrive, which AFAICT (I looked at it briefly) integrates Windows Bitlocker with SEDs.
> Lenovo has this
SED tech is a feature of the hdd/ssd, not the computer vendor. The BIOS has to integrate with the SED but I think that is standard, at least in business-class computers (but double-check before you buy!).
[+] [-] creshal|9 years ago|reply
One big feature: They also backdoor any new Windows installations on the same device, so if your hacker wipes or removes your hard disk, his new replacement install will be bricked as well.
As such, step one will be hard disk encryption (as mentioned by others) so thieves can't access your data. Step two, if that's not enough for you, is activating either of the two anti-theft measures to brick the device if the hacker tries to reinstall Windows.
[+] [-] cgarduno1|9 years ago|reply
I found this issue a while back on Macbooks. I'll update my github soon with more details and some images to demonstrate the process. I read this post and I figured I could whip something together and see what people think.
[+] [-] lathiat|9 years ago|reply
Without FileVault, you can totally still access the laptop and data. Sadly Macs do not have anywhere near the device protection that iPhones do - even the new ones. But data encryption is what you need.
You can do that same in the installer for Ubuntu Linux. I personally prefer the encrypt home directory option over the full disk option, but there are trade-offs.
[+] [-] hackuser|9 years ago|reply
Does that protect your computer if it's asleep? My guess is most Macbooks are either asleep or on 99% of the time.
[+] [-] bigbugbag|9 years ago|reply
[+] [-] grawlinson|9 years ago|reply
I don't need to be concerned about the thief accessing sensitive documents as I setup full disk encryption (dm-crypt & LUKS) with this kind of scenario in mind.
The only negative I can think of is that I cannot make use of tracking software like Prey due to the entire drive being encrypted. A trade-off that I'm happy to live with.
[+] [-] lloeki|9 years ago|reply
You could have a separate, minimal OS as a honeypot.
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] deckiedan|9 years ago|reply
A side question (sorry):
So if you ever buy any mac device, will wiping it (reinstall from USB disk) remove it from the Find My Phone system, or does the previous owner (if they set it up) keep the option of locking the device remotely and holding it to ransom?
[+] [-] evgen|9 years ago|reply
[+] [-] Razengan|9 years ago|reply
[+] [-] mekpro|9 years ago|reply
[+] [-] JohnJamesRambo|9 years ago|reply
[+] [-] outericky|9 years ago|reply
[+] [-] huydotnet|9 years ago|reply