How to secure laptops when stolen

That kinda sucks. Someone broke into our flat and stole my two laptops (working and private one) and my camera. Bastards! And of course no backups from the last 7 month and no insurance either. Well, lesson learned and as soon as I got the money I will go and think hard over my new laptop. So probably in a couple of years. And it will be probably a Mac coz that will allow me to do all the funky Linux stuff along with using my favorite Adobe products. But different story.

For now I was thinking how I could have saved myself from all that crap. And actually got an idea that could work. Basically there is a small kernel running in a ROM, connecting to a server and checking for the status every now and than. That happens of course before the OS is started. If your laptop gets stolen or lost or whatever makes you believe your data is in danger you connect to that server or call an emergency number to set the status to another level. That for example encrypts your harddisk and blocks any login or startup tries unless you reactivate by putting in some secret code. And since it is in a ROM you can’t just change the HD. And of course with the help of a GSM or GPS module there could be instantaneous feedback on location once the status had changed from ok. Shouldn’t be too hard to do. And aren’t actually those bloody TPM modules be supposed to do that? Any information is appreciated. If none is coming I just will make a bloody million out of it… Let’s call the system SEC (Security enabled computing)

So in short it would look like that.

  1. Laptop gets stolen, owner calls Hotline asap and sets status to stolen
  2. Machine powers on or wakes up from hibernate
  3. SEC checks on available network connectivity at least once a day
    1. Ethernet
    2. Wireless (information is updated from tools running in primary OS)
    3. Build-in mobile network
  4. connects to server on status for that hardware with some unique ID (loads of possibilities here, let’s assume the MAC address of the built in network adapter for now)
    1. if status ok everything boots up just fine
    2. if status not equals ok
      • some bits on HD are set to encrypt data or the stored encryption key is deleted (in an hardcore variant, the whole HD is low level formatted)
      • Lock on hardware level
      • all available information about position is sent to server, e.g. from built-in gps, IP address
      • Optional: As much data as possible is copied over to secure servers.
  5. Only by providing the private key part of a key pair you can now unlock the system and your data

Sounds easy, doesn’t it? Wish I had that before. But I don’t, so if you stole my T61 (you can’t work with the german keyboard anyway) from Bondi, be fair and give it back…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: