I'm going to go on a trip soon for about two weeks. I would like to set-up
my computer so if some dirtball breaks into my house, he won't be able to use
it (well, if he steals it, I'm just out of luck). Is there some method to
"lock" the computer so no one will be able to access it in my absence? Of even
greater concern is will I be able to access it when I get back. I need
something simple (I was thinking of just unplugging the damned thing and hiding
the cord somewhere, but I'm really trying to learn all this techno-stuff).
Unfortunately, there's scale. Complete protection isn't really simple, and
simple protection isn't really complete.
Ultimately, you kinda need to decide how sophisticated your thief will
be.
]]>
In my opinion, the ultimate security for the scenario you outline is full-disk encryption. (My favorite security tool, TrueCrypt will do this.)
By encrypting the entire hard disk of your computer, and using a sufficiently complex password or pass-phrase, the computer is pretty much useless to anyone but you.
As long as you remember the password, of course.
In fact, even if the thief places it into another machine, something he may try when he sees that a password is required, the data is still encrypted and password protected.
In other words, the thief may have stolen your hardware, but not your data.
And it's your data that's probably the most valuable part.
Unfortunately, whole-disk encryption can be somewhat tricky to set up. To be honest - it kinda scares me. I'd be nervous that it might be too easy to lose access. That's probably just me, though, as I'm sure there are many people using whole-disk encryption daily and without concern.
The approach I take is to segment my data, and use TrueCrypt containers instead of encrypting the entire disk. I place my sensitive data into such a container that, once again, can only be accessed by my having provided the correct password. Containers can be safely copied and backed up, and seem like a good compromise.
I recently created a 250 gigabyte container to hold sensitive data on my primary desktop machine, and have used (and recommended) TrueCrypt on my laptop where loss or theft is a more practical concern when traveling.
So one way or another, encryption is really the only way to really protect your data from loss if your machine gets stolen, be it a desktop at home or laptop while traveling.
Just make sure that the data you care about is, in fact, encrypted.
Another approach that I know many people use is to put a boot password on the machine's BIOS. This requires that at boot time the password be provided in order to continue. It's actually a fairly reasonable approach to protecting the computer from casual theft and thieves that are more interested in the hardware than your data.
Except...
A BIOS password does not protect your data. Even if the machine is completely unbootable due to not knowing the password, a thief could simply remove the hard drive and gain access to everything on it.
Whoops.
That's, in part, why I say you need to decide just how sophisticated a thief you think you're going to get.
In all honesty - I'd look at physical security first. (And, sorry, removing the power cable doesn't quite cut it.) Many computers have tabs to which you can attach a cable, and lock the computer to a desk much like you might lock a bicycle to a lamp post. Laptops have special slots specifically designed to attach such cables. That won't prevent a determined thief from perhaps opening up the case (though many of the locking tabs make that extra-difficult as well), but it'll probably cause the more casual burglar to move on to easier to grab items.
Or you might just unplug it and hide it in the back of a closet.
As I said, simple solutions aren't complete, and complete solutions aren't really simple.
I land somewhere in the middle, and use encryption.
A problem with Truecrypt is not possible unless you have administrator rights. Is there a technical reason for this? I can’t use my truecrypt usb drive at work. Are there any good alternatives for this other than having to use encrypted rar or zip files which take ages as the whole file needs to be re-encrypted?
A good per-file encrypter is AxCrypt, but remember that it makes a copy of the file, so you have to be careful to erase and wipe the original unencrypted copy of this is a same-machine security situation.
09-Apr-2010
As for full disk encryption, I agree it can be tricky. I’ve had my OS die twice and both times I had full disk encryption enabled (by truecrypt), which required me to use the very slow recovery disk to decrypt my data. The second time it happened I tried to decrypt it from another OS, but apparently that didn’t work, so I was still forced to use the recovery disk.
Despite all this I’m still using it even as I write this, though. I think the added level of security is worth the risk.
Buy a Fireproof Safe… rated for at least 2 hours… with a Combination Lock + Key. Bolt it to the Floor… in a Hard-to-get-to location. Put your Hard Drive, Jump Drive, CD’S, DVD’s and etc. in it + Silica Gel Packets or Desiccant Packets.
Take the hard drive out of the computer, place it a anti static bag and place it in your safety deposit box at the bank. Flawless security for those extended vacations!
Like Barb L … safty deposit box … if the computer is stolen … we do have insurance … also have a back up with someone else … no worry!
If your computer does get stolen and it is running Prey (preyproject.com) you may be able to get reports on where it is and who is using it.
Would this be a good solution to your problem? http://www.snapfiles.com/goto.php?id=112145&t=87463528&d=7141294&gourl=/get/predator.html
Hard disk passwords get no respect. They offer better security than a power-on password and the same resistance to being moved to another computer that full disk encryption offers.
The BIOS has to support it though, some do, some don’t. For more see:
Hard disk passwords offer great security for free
http://blogs.computerworld.com/hard_disk_passwords_offer_great_security_for_free
@Mark: “I can’t use my truecrypt usb drive at work.”
One option is hardware based full disk encryption. I’ve written about two external 2.5 hard drives that have buttons on them. You enter the password using these buttons. NO SOFTWARE IS NEEDED on the computer. Works with Windows, Macs and Linux (depending on file system of course).
See
http://blogs.computerworld.com/15836/second_guessing_the_data_theft_at_ecmc
Unless you’re someone with really important data on your computer (which might be stolen in some ‘Hollywood’ style scenario), your computer would only be stolen by an opportunistic burglar.
So, as Michelle said, make sure you have a good backup (and please, not on the same computer or a backup device beside the computer). You do backups don’t you…hmmm?
Also, make sure you don’t have photos of your (ahem), honeymoon or similar in an easily accessible directory – you never know where they’ll show up. Leo’s advice about an encrypted directory is the best place and in the case of Truecrypt, relatively easy and certainly robust. However, I do keep all that data in un-encrypted form on my separate backup which is stored remotely.
The best protection I’d suggest is learn how to safely/properly remove the hard drive from your computer.. Save the hard drive in a safe place until you return. If the computer is stolen at least the contents/data from the hard drive can always be retrieved on another computer. With no hard drive there is nothing for a thief to look at. It’s like taking the battery and engine out of your car… but far less complicated. Knowing how is a wonderful thing.
I won’t talk about the importance of backup (multiple types). As far as physical theft… well, what I did when I went on vacation was (1) took out my hard drive and hid it and (2) left the box open and made it look like the computer was basically a scrap heap. Most low level thiefs will assume it is broken and won’t mess with it.
Point one: Trucrypt is the ONLY totally secure on disk encryption method – right on lEO. Not even GOD [ Tongue in cheek ] can break a 256 DES blowfish encryption.
point two: I’ve used the take away method for yonks.
Not only does my method ensure thieves don’t get your data [ ANY of it ] but it stops virii from infecting said data. The boot drive [c ] is the smallest drive on the PC to hold the main programs and Windows. The INTERNAL drives only hold garbage and games; BUT all data is held on USB large drives which can be unplugged and hidden away elsewhere in the house. Every USB drive is duplicated on it’s twin, including complete recovery of the boot drive. All a thief will get is the OS, programs and games – these can be restored on a new system without even loading all programs from scratch [ reg copy and programs copy ]. A back to base house alarm system also woulden’t go astray [ how about a house sitter ? ]
For going on a vacation scenario, one can remove the hard drive(s) and hide it/them separate from the desktop box. If the box gets stolen, their drives didn’t and they can easily get their data off the drives and then use them in a new build.