488 lines
12 KiB
HTML
488 lines
12 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Theft Protection</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux on the Road"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Different Environments"
|
|
HREF="mobile-guide-p5c1-different-environments.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Security in Different Environments"
|
|
HREF="mobile-guide-p5c1s5-security-in-different-environments.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Dealing with Down Times (Cron Jobs)"
|
|
HREF="mobile-guide-p5c1s7-dealing-with-down-times.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux on the Road: </TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="mobile-guide-p5c1s5-security-in-different-environments.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 15. Different Environments</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="mobile-guide-p5c1s7-dealing-with-down-times.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="mobile-guide-p5c1s6-theft-protection"
|
|
></A
|
|
>15.8. Theft Protection</H1
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN4372"
|
|
></A
|
|
>15.8.1. Means to Protect the Data</H2
|
|
><P
|
|
>
|
|
<P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> Encryption: the Linux Kernel offers different options.
|
|
This
|
|
<A
|
|
HREF="http://shappyhopper.co.uk/b2154/sharedencryptedhowto.cgi"
|
|
TARGET="_top"
|
|
>Encrypted dual boot single hard drive system HOWTO</A
|
|
>,
|
|
explains how to secure your system using nothing but Free Software.
|
|
It was primarily written for people with a dual boot laptop, describing
|
|
free tools to encrypt Microsoft Windows as well as Linux partitions.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Here are some
|
|
<A
|
|
HREF="http://tuxmobil.org/smart_linux.html"
|
|
TARGET="_top"
|
|
>Linux guides for laptops with built-in SmartCard-Reader</A
|
|
>.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> User passwords: can be easily bypassed if the intruder gets physical
|
|
access to your machine.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Hard Disk Passwords:
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> BIOS passwords: are easily crackable at least with older laptop models.
|
|
Some manufacturers have now a second boot password (IBM).
|
|
</P
|
|
><P
|
|
> If you use a BIOS password/boot loader security, ADVERTISE IT! Paste a
|
|
sticker (or tape a piece of paper) on the top of your laptop, saying
|
|
something like:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> WARNING
|
|
|
|
This laptop is password protected. The password can only be removed
|
|
by an authorized [manufacturer's name] technician presented with
|
|
proof of ownership. So don't even think of stealing it, because
|
|
it won't do you any good.
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Before you buy a second hand machine, check whether the machine seems to
|
|
be stolen. I have provided a survey of
|
|
<A
|
|
HREF="http://tuxmobil.org/stolen_laptops.html"
|
|
TARGET="_top"
|
|
>databases for stolen laptops</A
|
|
>.
|
|
</P
|
|
></LI
|
|
></OL
|
|
>
|
|
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN4393"
|
|
></A
|
|
>15.8.2. Means to Protect the Hardware</H2
|
|
><P
|
|
>
|
|
<P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> Laptop lock: Almost all (if not all) of the new laptops come with a slot
|
|
for the lock, and if yours doesn't have one, most locks come with a kit
|
|
to add a slot. One of Targus' Defcon locks even has a motion sensor,
|
|
so you don't have to lock it up to a secure place, if you don't have
|
|
one around.
|
|
</P
|
|
><P
|
|
> The only drawback that I can think of is that it takes a couple extra
|
|
seconds to set up or pack up your laptop. It takes about 30 seconds to
|
|
snap into place and makes it impossible to quickly walk away with the
|
|
laptop. It won't stop a determined thief with the time to unscrew the
|
|
legs of the desk or one that wanders around with a substantial pair of
|
|
wire cutters in hand, but I feel pretty secure leaving the laptop on my
|
|
desk while I go to meetings or lunch.
|
|
</P
|
|
><P
|
|
> Well known manufacturers of dedicated laptop locks are
|
|
<A
|
|
HREF="http://www.kensignton.com"
|
|
TARGET="_top"
|
|
>Kensignton</A
|
|
>
|
|
and TARGUS.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Name plates: to reduce the possibility of theft, you may want to have a
|
|
nameplate (name, phone, e-mail, address) made and affixed to the cover
|
|
of the laptop. A nice one will cost you about $12, and can be made by
|
|
any good trophy shop. They'll glue it on for you too. You could use
|
|
double-sided tape instead, but glue is more permanent. So it's easy to
|
|
return, but will look beaten and abused if these are removed. You may
|
|
even make an engravement into the laptop cover (inside). And even better
|
|
into every removable part (hard disk, battery, CD/DVD drive, power
|
|
unit). If this machine ever gets to a repair office, I might get the
|
|
machine back. Make sure you remember to update the plates if you move.
|
|
</P
|
|
><P
|
|
> If you don't mind marking up a piece of equipment worth several thousand
|
|
dollars, make sure your laptop has some distinguishing feature that is
|
|
easily recognizable, e.g. a bunch of stickers pasted on it. Not only
|
|
does it make your laptop easier to recognize, my guess is that people
|
|
would be less likely to steal it.
|
|
</P
|
|
><P
|
|
> It might even be useful to have a sticker that clearly says <SPAN
|
|
CLASS="QUOTE"
|
|
>"Does
|
|
Not Run Windows"</SPAN
|
|
>. This is at least an argument for having your
|
|
bootloader stop at the bootloader prompt, rather than mosey onwards into
|
|
a colorful XDM login.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Link <B
|
|
CLASS="command"
|
|
>xlock</B
|
|
> to <B
|
|
CLASS="command"
|
|
>apm</B
|
|
> services. What
|
|
about setting a system such as when the laptop is unused for a while,
|
|
instead of using normal apm service and suspend the machine, makes it
|
|
run an xlock, disable the apm services in a way such that they do not
|
|
suspend the machine automatically and start a 'laptop-protection
|
|
daemon'. When the xlock disappears, the daemon is stopped and the apm
|
|
services are restarted (so you might use the apm services yourself).
|
|
</P
|
|
><P
|
|
> In the case somebody unplugs the machine while under the xlock (without
|
|
giving the password), then the daemon would detect it and could start
|
|
doing some preventive action, such as:
|
|
- playing a sound with maximum volume saying "I am getting stolen".
|
|
- this daemon could also register to a fixed local server and do a ping
|
|
every now and then. If the ping stops before the daemon unregister to
|
|
the server, then server then can take other actions, such as sending
|
|
SMS message, starting a video camera, in the room, etc. The apm
|
|
services down would make the stealer unable to use the hot keys to
|
|
suspend/stop the machine, isn't it?
|
|
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> You can change the <SPAN
|
|
CLASS="QUOTE"
|
|
>"pollution preventer"</SPAN
|
|
> logo at startup on
|
|
AWARD BIOSES. See instructions from
|
|
<A
|
|
HREF="http://geggus.net/sven/linux-bootlogo.html"
|
|
TARGET="_top"
|
|
>Sven Geggus</A
|
|
>.
|
|
For IBM ThinkPads there is a dedicated DOS utility for burning
|
|
your bizcard data into the BIOS boot screen.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Boot loader: a boot loader may be used to put your name and phone number
|
|
(or whatever text you choose) into the boot sequence before the
|
|
operating system is loaded. This provides a label that can't be removed
|
|
by editing files or even doing a simple format of the harddisk. Some
|
|
boot loaders (e.g. LILO) offer a password option, which is highly
|
|
recommend (note without it's very easy to get root access).
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Camouflage: if you carry a dedicated laptop bag, this can be spotted by
|
|
a thief easily. So think about getting another kind of bag.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Serial Number: note the serial number in a secure place. This will be
|
|
necessary if your laptop gets stolen.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Insurance: There are some dedicated insurances, see my page
|
|
<A
|
|
HREF="http://tuxmobil.org/stolen_laptops.html"
|
|
TARGET="_top"
|
|
>Database of Stolen Laptops</A
|
|
>.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Use of software that connects and identifies itself: As far as I know
|
|
there was an old DOS utility that did something like this. It embedded
|
|
itself into the bootsector and upon a certain keycombination it would throw a
|
|
serial number onto the screen and play an audio code through the speaker
|
|
(in case th monitor was no longer usable for whatever reason). You were
|
|
supposed to register the serial number with the company that produced
|
|
the utility.
|
|
</P
|
|
><P
|
|
> The laptop can send a mail with its real IP address if connected (mail
|
|
with a print of <B
|
|
CLASS="command"
|
|
>ifconfig</B
|
|
> started by
|
|
<TT
|
|
CLASS="filename"
|
|
>/etc/ppp/ip-up</TT
|
|
> or by a <B
|
|
CLASS="command"
|
|
>cron</B
|
|
> job
|
|
(if connected at a company-network).
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Always remove the external devices and secure them in another
|
|
place/room. Set the BIOS to boot on the hard disk first as a default
|
|
setting and remove boot on other devices if possible. Also try to plug
|
|
the power supply in the least accessible plug. So if your machine get
|
|
stolen in your office the 'quick way' (e.g. during a 5 sec. cigarette
|
|
break), the stealer won't perhaps have time to get the power supply,
|
|
neither the time to get the drives. Perhaps he/she will end up with a
|
|
less useful laptop and you may recover it.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Electronic Devices (Transponders): There are also devices available,
|
|
which can be detected remote via satellites, see my page
|
|
<A
|
|
HREF="http://tuxmobil.org/stolen_laptops.html"
|
|
TARGET="_top"
|
|
>about stolen laptops</A
|
|
> for a survey.
|
|
</P
|
|
></LI
|
|
></OL
|
|
>
|
|
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN4436"
|
|
></A
|
|
>15.8.3. The Day After</H2
|
|
><P
|
|
> Your primary goal is to prevent your laptop from being stolen in the
|
|
first place. Your secondary goal is to recover it after it is stolen.
|
|
Report it to the police station ASAP. Check the local newsgroup (in
|
|
case...) or even post in it.
|
|
</P
|
|
><P
|
|
> I have provided a
|
|
<A
|
|
HREF="http://tuxmobil.org/stolen_laptops.html"
|
|
TARGET="_top"
|
|
>survey of databases for stolen laptops</A
|
|
>.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN4441"
|
|
></A
|
|
>15.8.4. Resources</H2
|
|
><P
|
|
> The chapter about theft protection has taken some advantages of ideas
|
|
of Lionel "Trollhunter" Bouchpan-Lerust-Juery and a discussion, which has
|
|
taken place in the
|
|
<A
|
|
HREF="http://www.debian.org/MailingLists/subscribe"
|
|
TARGET="_top"
|
|
>debian-laptop</A
|
|
>
|
|
mailing list in January 2001.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="mobile-guide-p5c1s5-security-in-different-environments.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="mobile-guide-p5c1s7-dealing-with-down-times.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Security in Different Environments</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="mobile-guide-p5c1-different-environments.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Dealing with Down Times (Cron Jobs)</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |