Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Walking Away From Your Computer

If it’s not physically secure, it’s not secure.

That’s a phrase I’ve used in several articles on security, but with the recent emphasis on privacy as well, I’ve decided it deserves its own dedicated discussion.

You can have the best security software. You can be the greatest at identifying and avoiding phishing and other attempts to trick you into downloading malware. You can have the greatest, strongest passwords, doubly secured with two-factor authentication….

… and it’s all for naught the moment someone else gets their hands on your machine.

Become a Patron of Ask Leo! and go ad-free!

The friends and family plan

This scenario is all too familiar.

You feel safe at home, so you don’t bother locking your computer or taking other security precautions. It’s just you and the people you trust, right? Be it a spouse, roommate, or a good friend over for dinner, there doesn’t seem to be a reason to take special precautions.

That’s exactly how I roll. If you walk into my home, there’s a good chance you can walk into my office and start typing away at my desktop computer.

But I often hear from folks who shouldn’t have felt quite so secure in their surroundings. Be it a friend pulling a prank by taking a photo with your phone, or a soon-to-be ex taking revenge on your online accounts, or a child just wanting to play with your shiny toy, unlimited access to the technology you have lying around isn’t always the safest or most secure approach to take.

I’m fortunate in that I feel appropriately secure for my situation. What matters most is that I’ve thought about it on more than one occasion, rather than just assuming I’m safe or not giving it any thought at all. Usually folks who run into problems fall into that latter camp, having given little or no thought to whether they consider their home (or workplace) “safe”.

I’ll just be a second

I began writing this article in a local Starbucks – a place most folks consider anything but a “secure” location. Using the coffee shop’s Wi-Fi through a VPN, I secured my internet connection, and my laptop never left my sight.

The gentleman next to me, on the other hand, was working on something and then … left. I didn’t check to see if he was just picking up a refill or making room for more, the fact was he walked away from his open and running laptop (and a few other belongings). He returned after a couple of minutes and resumed his work.

I know if you hang out at your local coffeeshop or Wi-Fi-enabled eatery often enough, it can start to feel like home. But it’s not. You might assume that the other mobile techie nearby is a “friend” who’ll keep an eye on your things for a few seconds, but that’s a very bad assumption. You might assume that as long as it’s within eyesight, nothing bad will happen.

There are so many ways this can go wrong.

The most common result is theft. But walking away, even for a few seconds, opens the door to everything that unfettered access to your device allows.

Inspect this

Recent news has included a troubling privacy scenario many people don’t foresee: inspection when crossing international borders.

Depending on where you live, where you’re going, and the current political climate, any devices you take with you may be subject to inspection. That inspection could require you to provide full access to the contents of the device.

This is actually quite controversial, particularly in the U.S., and there are arguments and assumptions on both sides of the issue. What’s important here is to realize that:

  • This could happen
  • It involves full access
  • It’s subject to the laws of the country you are travellng to, which may be radically different than what you’re used to.

It may be something most people needn’t be too concerned about, but it’s important to be aware of and consider this possibility before traveling.

Thieves? Yeah, but…

Many people consider theft to be the biggest thing to worry about.

If your data isn’t backed up and would disappear along with your computer, that might be true. But if you’ve been backing up appropriately, theft is generally an inconvenience and not actually a disaster.

It’s my belief that the majority of burglary and opportunistic theft is all about the hardware – not the data stored on it. Most thieves simply aren’t that technically savvy, and are more interested in turning a quick profit by selling the hardware. Unless you’ve been specifically targeted for some reason, your data is probably not that interesting, and will likely never be noticed.

Of course, “likely” isn’t never. You should still take precautions. When someone steals your equipment, they have everything on it. Depending on their level of expertise (or that of the person they sell it to), and the preparations you’ve made (or haven’t), they could once again have access to everything.

I do take steps, some of which I’ll outline below, and should anything ever be stolen, I’ll be changing passwords, of course. It’s just not the first thing I think of when securing my equipment.

Steps to take

When it comes to physical security, there are a variety of steps you can take, but the most important is simply to keep it mind.

Encrypt, encrypt, encrypt

In recent years, I’ve become a big fan of whole-disk encryption. I use it not only on any laptops I travel with, but also on my desktop computer.

Think of whole-disk encryption as password-protecting everything. Without the correct password (be it a real password, or your system log-in credentials) the information on your hard disk is simply inaccessible. As long as the machine is not running, or has been logged off, whoever has physical access to it simply can’t get at anything. Period.

Particularly if you’re in a situation where theft is a real concern, such as travel, whole-disk encryption is the first step to keeping your information secure. Similarly, make sure to enable encryption on any mobile devices that support it.

Important: remember that if, for some reason, you can’t log in to your own machine (or forget the password) you, too, will be unable to access the data contained on the disk. It’s critical you have a separate backup, kept secure in some other fashion. Make sure also to take advantage of any backup options, like a recovery key, offered by the encryption technology you use.

Log out

Yes, having to log in to your machine is an inconvenience. But by not having a login, you’ve made it a trivial matter for anyone to walk up to your computer at any time and access its contents, running or not.

Minimally, make sure a password is required to access your computer, and use a screen saver that also requires a password be specified to regain access after some period of inactivity.

Similarly, make sure your mobile device has a PIN code1. Configure an appropriate time-out, after which the device requires the code to access the device’s contents.

For bonus points, consider getting into the habit of locking your computer or device when you walk away (keyboard shortcut: Windows key + L).

Take your laptop when you pee

I’ll be blunt: if I’m at the coffee shop and need to use the restroom, my laptop comes with me. I do not trust it away from my sight. Honestly, even walking a couple of dozen feet away to get sweetener for my coffee makes me uncomfortable, even though the device is within eyesight.

This is true for any public place you take and use your devices, including airports, libraries, and schools. It even applies when at the home of your latest new acquaintance or friend-of-a-friend. At a minimum, make sure the device is locked if you do walk away.

Lock the doors

I hear fairly regularly from individuals who’ve had their information compromised by their roommates or roommates’ friends. In situations like this, one of the most common solutions is to lock your device.

Not with software (though that’s good too) – with hardware.

Get a lock for the room containing your computer, or find some other form of physical security to prevent access or theft.

Make travel plans

Travel can be complex, depending on where you’re going and what you need to take with you.

At one extreme, the Electronic Frontier Foundation has some ideas for individuals traveling internationally that could include traveling with only pristine devices that contain no sensitive data whatsoever, and relying on cloud access for the information you need.

At a more practical level, the single most important thing you can do is plan for your device(s) to be lost. Not only is losing a device when traveling frighteningly common, preparing for the possibility also readies you for theft. Encrypting, backing up, logging out, and simply making a habit of all the items I’ve discussed above are key to traveling safely and keeping our digital lives secure.

There are times – intentionally or otherwise – where our devices will be out of our control and potentially even in someone else’s hands. It’s at those times it’s important to remember the most basic rule of all:

If it’s not physically secure, it’s not secure.

Podcast audio

Play

Footnotes & references

1: It’s unclear that a fingerprint unlock is sufficient. At a minimum, it seems to be legal to require that you present your fingerprint to unlock a device, as opposed to disclosing a PIN code.

13 comments on “Walking Away From Your Computer”

  1. You talk about “Encrypt, encrypt, encrypt.” Is it safe to use Veracrypt on an SSD drive? I’ve heard that encrypting an SSD drive can shorten the life of that type of drive. What is your take on that?

    • What shortens the life of an SSD drive is constantly writing to it. So yes, in that sense using anything on an SSD drive will shorten its life. However, the SSD drives that are being sold in computers now have such long lives that it is not much of an issue. A thumb drive is a different matter.

    • Encryption is fine. It adds only the initial encryption pass as a write operation, after that all the writes are normal (and encrypted).

    • I prefer BoxCryptor to Veracrypt for a couple of reasons. I encrypt all of the sensitive files I have on OneDrive. Using BoxCryptor only uploads and downloads changed files. With container encryption like VeraCrypt the whole container is uploaded and downloaded. BoxCriptor saves a lot of bandwidth. It might not be a significant davings, but this would also reduce the writes to your SSD.
      https://askleo.com/boxcryptor_secure_your_data_in_the_cloud/

  2. I sometimes find myself thinking “This computer is safe. I’ve kept all my sensitive data elsewhere, and I’ve protected everything with good passwords, even a pre-boot fingerprint. It won’t do a thief any good. Then I have to smack myself on the forehead and remind myself “The thief doesn’t know any of that. At the very worst, it’s worth a quick hundred or two.” Even if they don’t do any harm to my data or ID, it will mean hundreds of dollars and months of inconvenience and grief, not to mention the agony of thinking someone else can play in my life.

    Leo’s right. Not even for a second.

  3. A few years ago [quite a few, truth be told] I had to help a customer of mine [I manage a small internet provider] hack into her own computer. Her daughter’s ex-boyfriend had changed the login password. Now, of course, she would likely be our of luck.

  4. One thing it’s important for people to realize when traveling internationally is that not all countries subscribe to the concept of innocent until proven guilty. That’s based in English common law. The more common situation is Napoleonic Law ( Mexico and most Latin countries, and some European ). Under Napoleonic Law, one is assumed guilty until proven innocent. This can be an inconvenience, or quite devestating.

    • Wasn’t quite finished, but my tablet thought I was.

      One other important thing I wanted to add was that one needs to consider that not everything that is legal in the U.S. may be legal in other countries one is visiting. This could even include photos taken or information on the device, including what is written in email.

      Hope this helps.

    • I don’t know where you got this idea that Napoleonic law means guilty until proven innocent, although it’s useful to remember that laws are not the same in other people’s countries.

      The important thing to remember is : for all practical means, laws don’t apply when you’re a foreigner at a border point. The border agents have the power to refuse you entry no matter what, and to make your life miserable in the meantime, which could include many hours under police supervision before your being kicked out. Once you have been refused access to that country, there might be a big red check next to your name, which guarantees you enhanced attention if you ever try to re-enter some day.

      This of course applies first and foremost to that large country with “English common law”, the United States. It also applies to Israel, which was the first, to my knowledge, to ask for social media handles at border points. But even if you’re an American citizen (or, worse, resident), you can be harrassed at the border, required to give up user names or passwords, and upon refusal relieved of your devices (which could be held up for many months before being returned to you, after having been possibly hacked into).

      In any case, you can be confident that any bad idea of this sort will quickly be picked up by many state authorities all over the world, regardless of “Napoleonic” or “English” past.

      As for encryption, there are several countries in the world where refusing to provide a password when required to do so by police or court order is a crime. Currently, there is at least one person in the United States serving indefinite time in jail because of that. Great Britain has a similar law. You don’t even need to apply rubber hose in order to do rubber hose decryption nowadays.

      https://en.wikipedia.org/wiki/Key_disclosure_law

  5. I got fired from a job because I left my desk but didn’t secure my PC. Someone used it to send a Talaban joke – shortly after 911 – to 20 managers. I couldn’t prove it wasn’t me. Although I explained and apologized to the managers (they all forgave me), the company did not. To this day, I have no idea who did it although I have a suspect in mind. One can only hope that what goes around comes around.

  6. G’day Leo,

    Just heard on the news that some airlines will be introducing new security procedures with carry-on laptops/ipads etc. Seems some terrorist use them to plant bombs. Is this off topic? Well apparently they will be interfering with the security of the system, so just maybe they could cause damage to the OS or such. Don’t know how this will affect encryption.

  7. I have 3 overseas trips from Australia this year during which I usually take a larger laptop but this year I’ve purchased a basic 11.6 inch tablet with only 32GB of internal memory and have supplemented this with a 64GB microSD card. These 2 areas of memory will hold OS and other applications including PortableApps.com which covers most of my roaming requirements.
    Now back onto the subject of security, I’m also taking a 2TB external drive and on this have a backup of my OneDrive folders and a lot of other real private stuff that I will keep secure using a free version of Steganos Safe to have a well secured hidden folder on the 2TB drive.
    When roaming to access WiFi I’m considering using the free version of TunnelBear VPN.

  8. US citizens returning to the US are subject to having their devices held as long as ICE wants. This applies even to being within 50 miles of a border. Don’t take your devices with you unless you can do without it after coming home. It may be rare but i don’t trust homeland security. A little too authoritarian.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.