Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Hardware

Laptop Lojack? 107

daninja asks: "Yet another laptop with classified information seems to be missing. It looks to me like there must be a good sized market for highly secure laptops with a built in Lojack tracking device (or simply a laptop with an integral handcuff, kind of like that briefcase full o' blues secured to the wrist of Elwood Blues). Such a device (the Lojack version, not the handcuff one) could be designed so that the tracking transmitter couldn't be separated or disabled without rendering the disk unreadable (by a small explosive charge, mildly corrosive gas, or whatever). It seems so obvious, why isn't there such a product? (Hey, maybe I could patent this idea!)"

I have to admit, I too have had ideas along these lines. This shouldn't be too hard to build, however the laptop would have to be always-on (which would be hell on the batteries) and a GPS unit would need to be added in some way shape or form. This isn't all that unlikely, there are handheld GPS units on the market. How difficult would it be to meld one into a laptop?

Update: 04/28 02:15 by C : The link to the picture of the Blues Brothers has vanished. It was there when I posted this article days ago, but it's gone now. Sorry about that.

This discussion has been archived. No new comments can be posted.

Laptop Lojack?

Comments Filter:
  • by Anonymous Coward
    Maybe there needs to be an electronic key that enables the drive included in the lojack device, so removing or disabling it disables the hard drive. Yes, I'd like to have my laptop back with or without data, but I'd really like to encourage the criminal to leave the data alone.
  • by Anonymous Coward
    What did spooks do before lap-tops ?
    We carried briefcases and diplomatic pouches.

    Did they walk around the streets with briefcases (or carrier bags ?) full of confidential files ?
    Yes, briefcase and attache cases. We normally drove if the distance was more than a few blocks.

    Wouldn't carrying all these file make him stand out in public ?
    Not any more so than anybody else with a briefcase. You were normally more concerned about petty theft instead of international espionage.

    Weren't there rules about carrying this stuff in public ?
    Yes. The rules still exist. Briefcases disappeared about as often as these laptops. Extremely sensitive information oftimes would require two people. One with a briefcase and a handgun, the other with a handgun.

    I worked as a courier several years ago. I used to enjoy stepping through the metal detectors at the airport and just showing my credentials when the alarm rang. Most of the time it was just my keys setting it off.
  • Obviously this isn't a solution that provides k001 James Bond-style hardware like GPS, radio transmitters and such.

    What I have long felt is that something like Lotus Notes is the right answer to the "laptop theft" problem.

    Lotus Notes offers three major facilities that are helpful:

    • It provides an explicit "document management" system as its substrate.

      It actually has parallels to NNTP news, the way Slashdot should operate... which leads to...

    • A simple "data replication" mechanism. If all your documents are set up as Notes Documents, in a Notes Database, they can spawn other applications to view/modify them as needed, but, once you save them, they sit in a database, ready to be replicated.

      You are at the office, plug the laptop into the network, and select Replicate. It synchronizes the state of the database on the laptop with the state of the database on the LAN.

      This means that if the laptop is stolen, all it takes to get the new one repopulated is to run Notes, connect to the appropriate databases, and select Replicate, and the laptop will get loaded up again. (Ready to be stolen again!)

      The fact that it's a single database provides, as a natural direction...

    • The use of encryption to protect the databases from intruders.

      If all the data sits in the Notes databases, and they are encrypted, on the laptop, then the nefarious Laptop Thief may have a slick new laptop, but will not have an easy time getting at the secret information on the laptop.

    Linux offers things like CFS, the "Cryptographic Filesystem," which may allow filesystems to be kept secure. (I thus protect a partition or two on my laptop.) The thing that it misses is the "data synchronization" ability that Lotus Notes "replication" provides.

  • Notes? Urgh. Couldn't you just use Coda [cmu.edu]?
    --
    W.A.S.T.E.
  • And what are the chances of being able to take this laptop onto an airliner?

    Just imagine - you're on a long cross-country flight, hacking away on your latest and greatest code ever (or just dealing with some BS your manager wants done "pronto"). You get up to stretch your legs ('cause you're in economy), go to the bathroom. Your seatmate (who has been downing one martini after another) wakes up from his drunken stupor, sees your laptop, decides that he really wants to play a game of Solitaire...

    Next thing you know, masks are dropping from the cabin ceiling, smoke is filling the cabin, the pilot starts looking for the nearest landing strip, and you're glad you were already sitting on the toilet when this all started, 'cause you lost control of your bodily functions when the smoke alarms went off...
    ________________________

  • First of all, I doubt there's enough of a market for laptops that carry secret information. With the budgets that most departments have to work with these days, they'd rather forego carrying laptops rather than pay a premium for them. Also, the laptop would have to look like any other - you don't want to whip it out on a plane (not necessary to work on classified information) and advertise, "Hey! I'm a spy! I've got a laptop with special shielding so that no one will be hurt when the hard drive explodes."

    Which is another thing. Exploding hard drive? Let's face it, most of these laptops are being taken by petty thiefs who don't care about the data. This one at the state department I'm not so sure about as anybody who smuggled that laptop out of there knew that the consequences for getting caught would be dire (getting fired, never working a government contract again, prision). In any case, the thieft of laptops is becoming too commonplace. This is certainly something that business travelers have to worry about as well. So here's my idea:

    Wire the Lojack style device and GPS receiver onto the mainboard. Not only will a surface mount make it a bitch to remove, but you could devise the BIOS so that it won't boot without it ("GPS Receiver not found. Move ten meters north to continue."). The Lojack device can run in passive mode most of the time, just listening for an RF signal. When it receives its RF signal (probably shortwave for distance coverage), it knows its been activated and it goes into active mode where it actively transmits its ID & position, again, probably on shortwave for maximum coverage.

    The primary limitation in that plan is the RF bandwidth needed for the operation. However, all activation transmissions would logically be digital and could be packet based, just transmitting the activation requests round-robin. The reply from the machines would use a second frequency and stand a higher chance of collision so to avoid that, I think they should use a random interval between transmissions - just like Ethernet except rather than perform collision detection (which wouldn't be accurate if two computers are equaldistant but opposet directions from the recieving tower), they just presume there'll be collisions and hence transmit randomly. We presume not too many of these computers will be acivated simultaniously (as the machines should be recoved and disabled quickly) lest that RF band will just get saturated. In the event that does happen, new machines will need to be configured to use a different band (keep in mind that trying to get shortwave bandwidth allocated is not easy nor cheap).

  • There is a Swiss company that makes explosive CD's (I think posted here !!) So you could use an inverted failsafe code. That is, start the machine and require the correct code else an autoload program triggers the cd to self destruct. Sure you'd have to change the engineering some like building a tiny minidisc and sealing it so it can't be removed from the machine or is packaged with the hard drive.

    BTW hardrive encryption works pretty well. My Thinkpad has an option to encrypt the hardrive and while they don't publish the algorithm we've never seen a case where someone has to managed to break it. This is not to say it's unbreakable but seemingly no one's succeeded or bothered to try.
  • I know that the Navy has some kind of system where a special key-combination will cause the hard drives to melt. It does seem kind of odd that laptops with sensitive information wouldn't have something similar. Or perhaps the information on these laptops isn't really all that important...
  • by jerrol ( 7184 )
    LOJACK works by emitting a homing signal. A set of 4 antennas on the top of a car allows for triangulation.
  • I had a friend once who was so afraid of the "fedz" busting him that he wired up a DIe-Hard truck battery with an iron railroad spike wrapped in heavy gauge wire. The electromagnet was then placed between his hard drives. There was a switch under his desk and a switch inside the case that would be activated if the cover were removed without throwing a switch on the underside of the case. Neat system. Probably worthless, though, as he bragged about it so much that the "fedz" would know about it if they were really that interested in him.

    Incidentally, he threw the switch one day while moving his monitor and proved that the system worked. ;) He only lost a few hundred megs, but that was back int he day when your total hard drive space only reached a few hundred. ;)
  • All these would be worse then what currently exists, cause they'd just give fake security. Frying electronics is not a way to stop hard drives from being read.

    -David T. C.
  • First of all, the problem with a chemical solution (acid, explosive, therimte, etc.) is the danger for the user.
    Bat what about this: The harddisk will be encrypted anyway, if you store a part of the key in a battery backed-up SRAM you just need to make sure the power goes off when the tracking device is removed...
  • It seems a good solution would be for someone to come up with a HD controller with GPS/lojack integrated. The controller uses very strong encryption so that the disk by itself if unreadable and the controller must receive a GPS signal and send out a lojack beacon signal before it will spin up the drive. Would add a heck of a delay to boot up and wouldn't work in tunnels/undergroung/etc but would give more security than they have now. Of course any encryption can be bypassed eventually. (Perhaps explosives embeded in the drive so it goes poof is you use another controller to access it).
  • So lets install a GPS on a laptop so we know where it is at all times. Hmmmm... Since I know who the owner of the laptop is, I can trace their position at all times.

    I see you have been to the local brothel this week ... We have morality clauses for our employees, your fired!

    With the Internet, databases, and computers galore, privacy of information is lost. Do we really need to take this a step furthur?

    On the other hand, how do you track down a stolen laptop without invading the users privacy? Does the loss of privacy outweigh the benefits of keeping your data secure?

  • Security is always a matter of economics. For nuclear warheads, the cost of bypassing tamper responsive hardware should be (generally is) greater than the cost of building the warhead in the first place (so that stealing one would just be dumb).

    For laptops, it should be the case (and on some is) that the cost of deleting the hardware passwords (mother board and disk drive) is greater than the value of the laptop. If you want laptop returned, there should be an "anonymous return for reward message" displayed on the password splash screen (anonymous to encourage return and to disallow bargaining by the thief).
  • No system for protecting the data thats already on an laptop will ever be 100% safe.
    So why not save all the data on the net instead? Because no transfer will be 100% safe either..

    Then do neither. Make an encryption system where half of the information is saved locally and half is saved on the laptop.. That will be 100% safe from decryption (without having both the server and the laptop), because no individual parts contains enough info.

    The drawback is of cource that the laptop have to be online all the time, and you will still loose all info when the laptop is stolen...
  • I don't think it is actually provided by Lojack, but they already have system like Lojack for laptops. The antenna for the system is embedded in the motherboard as an integral piece somehow, that way if it is removed the laptop becomes unusable.

    I am not sure if they went into production, but the technology *is* out there, so it is probably already patented.


    /*---------------------------*/
    Man? What is man?
    But a collection of chemicals with delusions of granduer.
  • i read an article awhile back about a system kinda like the lojack. you have to enter a password or something and if you don't then the next time the laptop is connected to a LAN/the internet it sends a message to a monitoring company telling ip address et al.

    can't remember where I saw this...
    "Leave the gun, take the canoli."
  • I've already patented the idea! BWAHAHAHAHAHAHAHAHAHAHAHA!

  • beep I'm carrying classified information and I am here.
    beep I'm carrying classified information and I am here.
    beep I'm carrying classified information and I am here.
    beep I'm carrying classified information and I am here.
  • I've always learned that you ought to have backups of important information.

    If the data stored on the laptop is important enough to attempt to retrieve the laptop, I think it's quite a stupid mistake not to have backups!

    After all, there could be hardware failures or the owner of the laptop could accidently drop it, then a bus could drive over it after which it could be flung into a nearby river!

    You wouldn't believe the amount of damage a family of crabs could do to a submerged laptop!
  • Java Ring? Is that like a circular queue (only slower)? ;-)
  • >I see this accursed mistake all over the Internet and I ABSOLUTELY CAN'T STAND IT!

    You and me three...
  • I remeber hearing about something like this a while back being used to recover laptops.

    Some company sold a software product that ran in the background. Periodically, when the laptop was logged onto the internet, this software would check in with a central server for some reason or another. It did this in the background without any formal notification.

    Someone stole a laptop and was using it. This software was still running unobtrusively in the background. They were able to trace the laptop back to the ISP that the thief was using to log on and then find the theif and the laptop.

    Now this only works if the disk of the laptop isn't wiped, the thief logs on, and no one notices and disables the software but it was still pretty cool.

    Looking for the original story, I just found this link to a company [softwaresecurity.com] that sells a product that claims to do this sort of tracing.
  • I don't know about the power consumption, but I guess it would make more sense anyway to modify the harddisk, for example, so that if you remove it without a special key, it'll destroy itself at the next power-on (with a special "erase head" that systematically sratches the surface, for example). The laptop must then be protected against use with a BIOS password that really cannot be removed or worked around (and that can't be that difficult, either).

    As for the price argument: I think this isn't such a big issue if you are a big corporation or a kind of secret service that has *very* valuable secrets, which would cost you a lot more than a few hundret $$$ if they were stolen.

  • If I recall, part of the spec for High-class containing/carrying (notebooks) and computers in general is that if they are tampered with, the drives erase. If orange book doesn't already cover this, then someone needs to be shot.

    Bob
  • There already is a product that is a "lojack for your laptop". Unfortunately, its Windows only.

    http://sentryinc.com/CAProductInfo.cfm
    --
    Donald Roeber
  • First of all, couldn't any kind of transmitter be blocked my a lead shielded briefcase? If someone is going to have the testicular fortitude to steal a super-secrect gov't lappy, he's gotta have some smarts and some commons sense, at least he should.
    Nextly, why not just have a hardware key system for such things? Years ago I bought a copy of the Encyclopedia Britanica on CD and to use it you needed a small plug inserted in your parallel port to use it, lest it not work at all and to prevent copying (it was expensive). So if you want to use it, you gotta have the key, or even maybe, give one to one agent and another to another agent, and they both have to be inserted to make the laptop work.

  • Lojack had to deal with this exact problem already. After all, do you want to drive around in a car that constantly beams your location to anyone who wants it?

    Here's what they came up with: Nothing is transmitted until the system is activated. When a car is reported stolen, the police send out a signal (repeatedly) telling that car's Lojack to activate. Only when it receives that signal does it begin broadcasting its location.
  • Why does the laptop have to be always on? All that needs to be always on is the lojack system--which I assume would consume less power than the computer itself.

    Actually, I'm not entirely sure about that. How much power does it take to broadcast your position, or whatever lojack does?

    The big question I have is, would anyone really pay for this? When you pay $30k for a car, and expect to sell it for $15k in a few years, an extra $800 plus $100/year is no big deal. When you pay $3k for a laptop and expect to sell it for $300 in a few years, it doesn't make as much sense....
  • Sure. You can also get around Lojack by taking the car to a non-covered area, or a shielded garage, before the system is turned on. The system isn't 100% perfect. Lojack claims 90%. Maybe for laptops it would be signficantly lower. But it probably wouldn't be 0%.

    It's probably impossible to make something impossible to steal. But making it harder for people to steal it and get away with it is still sometimes a worth-while effort.
  • Well, the idea of a harddisk that destroys itself if you remove it or power up without entering a key is pretty good. It should be much cheaper, and maybe more importantly, simpler (and therefore more likely to be foolproof).

    But there are still two advantages to the lojack-type system.

    First, sometimes it's important to catch the guy who stole it--or at least to know who it is (e.g., so you know which of your competitors to enjoin).

    Second, sometimes you want to protect the valuable asset itself, not just prevent anyone else from using it. This could be the actual hardware, thousands of dollars worth of licensed software, or data that hasn't yet been backed up that's extremely important. Obviously, in those cases, you don't want to destroy it.

    One more thing: I think you want a better way to destroy the hard drive. Scratching the media may make it stop working, but data recovery experts could probably still get a lot out of it. Plus, it would probably be obvious that something odd is going on, and the thief might be able to turn it off before much damage was done. You probably want to do something much more drastic and unstoppable, and harder to detect (release acid into the cylinders?).
  • Ok, let me get this straight...we all want more stable computers, right? Yet you want to put something to completely disable a computer inside it? All I know is this thing better be a lot more reliable than the typical computer system, or a lot of super-secret information is gonna be lost when it triggers accidentally...
  • Yeah. That's kind of what I was getting at in my post up there that got moderated down to -1 Troll. Dammit, I was making a point (though a slightly angry drunken point) about first posters being childlike enough to get a kick out of getting a "First Post!".

    Eruantalon
  • I think that's a great idea. However, it's not a failsafe. Ineptitude's a security breach unto itself. In fact, a relative who will remain nameless was in a COMPUSA a few months back when she overheard a young guy (alone) with a laptop go up to the counter saying that he needed a replacement harddrive. He claimed it was very important because he had to get Madeleine Albright's laptop back to her today. It's a good possibility that this guy was pulling the counter-person's leg to get faster service . . . but if this *was* true . . . what did they do with the old harddrive? Why is the State Department using CompUSA and not someone internally to service their machines? And why not just order a new harddrive w/out bringing the laptop into a public store without security? I think this is definitely scary stuff.
  • Ok, guys. You can't possibly be serious about putting a "Lojack-stye" transmitter into one of these things.

    Think about it. These laptops are presumably the property of spies and other high-security/risk officials. How can they work covertly if you're broadcasting their location?!?

    It was a good idea otherwise, and I think the civilian market might still be interested. :-)
  • Encrypt the hard drive, put the unlock code on a key or dongle that's strapped to the wrist of the user. If you put a USB port on the front of the laptop, this should be easy to do without having the cord get in the way. Have the laptop go into sleep/secure mode whenever the dongle is removed.

    For added security, three wrong dongles in a row plugged into the USB port causes the CD drive to pop open and the laser to slice through your brain. :-)

  • How about encrypting the hard disk with a biometric key?? Insert eye to view you email .
  • Actually, I remember reading an article on O'Grady's PowerPage about a similar service.

    I even took time to look up the URL:

    http://www.go2mac.com/displaynews.cfm?newsid=586 9

    Hope this helps all in need.
  • That these recent "losses" of laptops could just be attempts by intelligence agencies to leak false information to the enemy. You leave a weakly encrypted laptop somewhere with some disinformation (and some real intelligence to make it look reliable) and then put a story in the press saying how dumb the agency is to lose their data. I wouldn't be suprised if that's what it was, although it has been happening a bit often lately, hasn't it?
  • > This doesn't sound like a realistic solution to
    > me - the certificates pass phrase might be
    > cracked, at least by the guys really interested
    > in such data. Or simply get the person who knows
    > the phrase and make him tell it

    Well that depends on the crackability of the
    passphrase. If its a good passphrase, it should
    be a very hard problem to attack it. Of course,
    they need a copy of the certificate itself to
    attack....it could easily be stored in a smart
    card or som,e similar device.

    As for "get him to tell you", thats a problem with
    ANY system for keeping secure data, all you need
    to do is compromise a person with legitimate
    access. (like if I wanted someones medical
    records...couldn't I just get a job in the
    hospital records filing room, and steal them?)

    > A keyboard which is able to check the users
    > finger prints makes much more sense to me

    Such a system doesn't sound like it would be very
    reliable. Most of the time it would only be able
    to get partial finger prints, it would have to get
    them VERY quickly, as people type, and it would
    require the hardware to do the scanning in EVERY
    key...which means 100+ individual finger print
    scanners, in 1 keyboard.

    This STILL does nothing to the idea of a
    comprtomised person with legitimate access.
  • A $2000-3000 laptop isn't such a big issue for a country which pays other bills in billions...
    And I seriously hope that the laptop had some strong harddisk encryption installed (without stupid NSA backdoors, that is) so that the theif doesn't really win anything.
  • Why the hell would somone with such important data store it on a non removable media. All important data should be stored using pgp or the strongest form of encryption available. It should be stored on non rewriteable removeable media. Its that freaking simple!!!
  • Here is one simple way to prevent the hard disc from being read.

    1. Put an innocent looking AC adapter port with a label for volatge, amperage and polarity, then, hook that to blow a soldered on fuse (that is hooked into the battery power or hard drive circuitboard) when connected to external power. Hide the real AC port.

    Here is another:

    2. Make the HD pop out when the 'puter is turned off and make the agents bring the HD with them...

    and another:

    3. Charge a big capacitor and rig it to discharge and fry the HD circuitry when the power or IDE connector is disconected or when multiple authentication attemps fail.
    AND
    4. make the agents boot from a diskette. configure a program into boot sector of the harddrive to perform a low-level format when booted from the hard-drive instead of the diskette which contains the real bootloader.

    although this is really security through obscurity, coupled with some strong encryption techniques and agents who don't leave their laptops lying around it would work, i think.

  • >from the never-loose-it-again dept.


    ARRRRGH!

    From the pet peeve department:

    "Loose" rhymes with "goose" and "noose" and means the opposite of "tight".

    That's when "loose" is an adjective. When used as a transitive verb, as it is in "Never loose it again," it can mean to detach or release.
    Since the article mentioned handcuffing the laptop to your wrist, it could mean "attach yourself to your laptop and never unfasten it again" either physically with a chain, or metaphorically with a LoJack transmitter.
  • In order for this to work, it (the tracking system) wouldn't have to be on, but just to send out a beacon once turned on.
    Another idea would be to put one of those stamps on it that once removed still says information, like, "This Laptop should not leave the ".
    That along with the only-send-out-becons-when-one idea might help curb this problem.
    --
  • I think they're more worried about someone getting access to the data on the laptop, not about losing it.


    --Fesh

  • Comment removed based on user account deletion
  • Darn, I was hoping to be the first person to post this! ;) Okay, yes, for all the wonderous discussion on this topic, this is the basic reason why this scheme doesn't work. Enclosing the device in a "Faraday cage", which is basically any metal box, will totally disable the transmission capability. This is the same reason you lose your cell phone conversation when you get into an elevator. Sometimes I wonder if this is Slashdot, or SlashskippedphysicsinhighschoolbecauseIwasinthecom puterlab.
    * mild mannered physics grad student by day *
  • What if you put the laptop in a briefcase that had electromagnetic shielding? Could a system like that be defeated by such a briefcase?
  • The US has a law where a patent can be filed up to one year after being published. This is what happened with LZW [burnallgifs.org]; Welch sent it to the journal, it got published, Uni$ys patented it.
  • It looks like someone makes a solution for Win9x and NT... http://sentryinc.com/CAProductInfo.cfm
  • The most obvious solution would be to start a company that can build cellular perihperals to fit inside the laptop that activate and send a 'ping' at timed intervals on the cellular frequencies when powered. Much esaier now that a lot of portable devices have built in modems, for those you just write software. The purchaser then buys a 'security' contract (further revenue) and if it's stolen he reports it and then your control center monitors for that device's id on the cell frequencies. Cellular networks can locate phones by the relay transmitters the signal is picked up by. This is if you wish to retrieve the hardware and if hardware costs outweigh the cost of insurance. If it's software/info that's important to keep secure, design a BIOS that requies a startup password and encrypts data automatically and CANNOT be disabled by flashing or removing CMOS battery. 3 bad passwords and it trashes the encryption key and/or virally renders the bios unusable. Clearly mark the hardware as such and crooks will soon learn to avoid those bits as they cost too much to circumvent and render any stolen goods useless. I once had to support an IBM laptop that someone had applied a password to the HD. They had left the company a few months before and the dept didn't know it. IBM said it was impossible to remove it and we would have to buy a new one. Good for IBM, bad for us ($350) but a good idea for security. That's all you need and it's cheap! Finally, train agents in basic security.
  • As of your post, your idea has become public domain. Sorry.
  • http://sentryinc.com/CAProductInfo.cfm

    IBM also manufactures similar products, one of which will automatically encrypt the data on a laptop if it's removed from a building without prior authorization:
    http://www.ibm.com/security/news/pr_notebook.html

  • Here is something a bit less extreme that one might consider. A lot of agencies outsource or steal ideas from other places these days.
    savethelaptop.zzweb.com [zzweb.com]
    Enjoy!
  • when you can have kojak?

    (ducks)

  • Two of these spook lap-tops have gone missing in the UK. Now this one has vanished in the US. This raises a number of questions:

    What did spooks do before lap-tops ?

    Did they walk around the streets with briefcases (or carrier bags ?) full of confidential files ?

    Wouldn't carrying all these file make him stand out in public ?

    Weren't there rules about carrying this stuff in public ?

    The problem is not a technology problem. It is not to do with lap tops. Nice portable high value things will always get stolen. This is almost axiomatic !. The problem is a 'spook business process' problem. The advent of laptops has made them get sloppy over security. Since we pay these reptiles to look after our security (allegedly ......), it is time for someone in authority to ask serious questions related to their competence, remit and funding.

  • GPS has problems working in heavily forested areas, so I can't imagine that it would be useful inside a structure (such as a building or tunnel). The beacon idea seems better, but the transmitter would require a reasonable amount of power (1 KWatt ?) as well as a reasonable antenna to provide useful range.

    I suggest that a different approach is needed.

    /Don

  • I remember reading a while back that 2 stolen laptops were recovered that were running the RC5 keycracking client for distributed.net

    The client flushes keys to a keyserver and gives the IP address of where the keys are being sent from. Those keys are also flushed with the user's e-mail ID.

    When keys w/ a certain e-mail ID come in, the distributed.net people could go through the keyserver logs and trace the flushed/fetched keys to an IP address. Traceroute/nslookup - then contact ISP - THe jackass using the stolen notebook is probably using it from his home.

    I don't remember if they were running the CLI or the GUI, and whether it was running in "hidden" mode or not.

    But we've already got Laptop lojack! Thanks to Nugget and the distributed.net people!

    http://www.distributed.net
  • All these laptops being stolen, and I bet I coulnd't MAKE someone steal my Thinkpad...
  • if it's running any flavor of NT then there's already a self-destruct mechanism built in...I mean, how long do you think the data would exist before GPFs necessitate a reinstall...
  • You don't even have to go as far as encrypting the file system. You can just encrypt the files themselves. Although, that migth still leave plaintext copies laying around in various caches when the user decrypts them to do work. Never mind, encrypted files systems are the way to go on this. What all these incidents leave me wondering is where did the "Orange Book" go? I think carrying info in plaintext outside of the office violates information security guidelines outlined in that document. I think rather than idiot proofing things, hte better counter measure in intel agencies and any organization which deals in senstitive material is to get rid of the idiots. The only way to do that is establish clear information security rules, train, and enforce rigoursly. Lets face it, the value of a laptop is minimal--especially if its insured--compared to the value of the data on it.

  • You already disclosed the idea to a public forum before you submitted your materials for a patent. Think that is what that lousy patent all software before someone else does class told us...
  • whaddya bet it was a manager and the 'higher than top secret' files are on the desktop in ms word format unencrypted and no bios password or anything else... chuckle chuckle chuckle... if someone stole my laptop they would have to guess at my bios password, then have to get root, then have to un pgp (private key is not on system).... lucky them... and hell all i have is essays for classes.... oh well...
  • Well, any of you ever see Mission Impossible - when they had the whole programme boot up that also used the HD as generator for a homing signal? *grins wickedly*

    Actually, that idea wouldn't be too difficult to do. All one has to do is to integrate a low power transmitter on an odd frequency that's integrated into the hardware - perhaps the drive itself or the mobo - that cannot be dissected - and under conditions (like multiple fail attempts at passkeys) it would trigger it. The antenna can be integrated into the case itself, kinda like those window antennas in cars that's covered across the rear window of cars - except in this case, it would be laced all over the panel and the case itself.

    As a backup plan - have little polymeric cells that contain cyanide based acids (This is the stuff we use to dissolve gold with) hidden throughout the entire unit looking like capacitors and other elements of the system. Again, with the multiple passcode failures - a secondary power system is triggered that is not normally functioning - kinda sorta like in T2 when the terminator finds an alternate power route - and activates these plastic units. Which in turn dissolve and eat everything in sight *AND* kills the person in the process via chemical reaction.

    -victem
  • I like my Thinkpad, even though it's a little long in the tooth. I'd be heartbroken if the thing got stolen. So, I carry the thing in a nondescript backpack that doesn't look like anything special. This backpack has a padded compartment, however. Silicon Sports made it, and there are other companies making similar. I wonder if that laptop was being carried in one of those obvious "Steal me! I'm a laptop!" leather bags. You know the kind I'm talking about. --.\\-H--
  • There is a not-so-old expression, "It's the data, stupid." That would be the only reason you would want such "insurance". The government is having their precious data stolen, and in terms of capital value, it would still be a problem if it were written on $.02 index cards.

    -L
  • Person steals laptop. Person wants either
    a) Laptop itself
    or
    b) Data on laptop

    In the case of a), if there's a self-destruct device on the hard disk, the thief likely won't care. That's not one of the most expensive pieces in it anyhow. Yank it and replace it.

    For b), use RF sheilding. All ya' need is a big ass metal box around the thing to prevent tracking. Getting the data wouldn't take that long. Then you just chuck the laptop in a lake.

    This thing actually has a market for cars because there are so many cars and the probability of having a lojack in a car is so small that the risk is worth it for a thief. It's hard to find this thing in a car. Plus, it's kinda hard to find something RF shielded to stash a car in.

    For laptops, it would probably be easy to find this thing inside, at least for anyone who cared. Once the word got out that they were common, ways would be found do work around it.

    The simple solution: Don't fucking put classified information on laptops. Maybe that's not very practical. Just the first thing that comes to mind.

    Sorry. Don't think this would work.

  • Wrong! The FedEx carriers were smokin some of that green they were smuggling and got the message fuct up in transit.

    The actual secret message is:

    17

  • This shouldn't be too hard to build, however the laptop would have to be always-on (which would be hell on the batteries) and a GPS unit would need to be added in some way shape or form.

    This is not necessarily an issue. The machine could transmit automatically only when is on. This would cut the strain on the battery, but still utilize tracking. Assuming you make the laptop such that it can't be physically broken into without damaging any of the machinery, the thief will need to turn on the computer to retrieve any data from it.
  • A $2000-3000 laptop isn't such a big issue for a country which pays other bills in billions...

    Remember, this is the same federal government that used to spend $600 for toilet seats.

    Sure, those laptops cost $3000, but they're 25Mhz 386s with monochrome screens and 4mb of RAM.

    ;-)

  • You mean something like http://www.magellangps.com/wirele ss/a_vision2.htm [magellangps.com]?
    --
  • Theoretically, this is almost correct usage, actually -- there's a sense of loose as a transitive verb meaning "to let free," although it's not in regular use.

    And, of course, it implies willfilly letting go, not just accidentally leaving on the bus.

    Just being even more pedantic for the sake of doing it; I'm with you, confusing lose/loose really annoying.

    --
  • A Java Ring was a device that you wear on your finger, which contains a small Java chip and some tiny amount of non-volatile memory. You plug it into a receptacle and the receptacle would power it and exchange data. The reason for having processing power in the ring, rather than just memory, is so the ring can do things like MD5 hashes, which allow the private key to remain private inside the ring. Don't ask me for details, since I'm a neophyte when it comes to encryption.

    --
    A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
  • Use a Java Ring or other physical device to hold the decryption key. That way they might lose the laptop, but they won't lose the data.

    --
    A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
  • Combine the ideas!

    If the laptop is supposed to be at places A, B or C, then use the GPS co-ords for those places as part of your key.

    The motherboard would contain a second part of the key (make some use of the P3's ID!)

    Thirdly, have a revokable certificate. Have the decryption code supplied require a connection to a certificate validation server to be unlocked. If it has been revoked, it gets deleted. Otherwise, it's decrypted and becomes usable.

    Lastly, require a pass phrase from the operator.

    Combine these in such a way that there is one unique decryption key generated BUT that no one person or component knows that key.

    If the laptop is stolen, sure you may discover the P3 ID. If you bribe/persuade the person responsible, you might even find the pass phrase. But the GPS is a bit tougher to crack, as you won't know the location of the room(s), and you're not going to get much further with the certificate validation system.

  • Turn the laptops into diskless workstations, fit them up with high-speed wireless LAN connections to a server in a secure place, and you'll never have to care if a laptop is ever stolen again.

    Alternatively, cut the James Bond stuff and stop having to worry so much about data theft.

    Last, but not least, install a command-line OS. Your average Government Agency is so lacking in brain-power that anything without icons is going to be too obscure and arcane for them to extract anything useful from it.

  • A lojack system is doable, but the problem is that laptops are always cramped for space. So yes, you could add it, but you would lose something else, and people are already cutting corners.

    OTOH most of the elements of a lojack system make sense for other reasons. An embedded cell-phone allows the laptop to get online virtually anywhere. Add some sort of location capacity to that (a separate GPS or just something that uses feedback about where the cellphone is connecting) and you get useful mapping capabilities.

    Now a theft-prevention device becomes a no-brainer. You don't even need to make it an explosive, just integrate the above parts with the laptop enough that to pull them out means breaking the laptop!

    Cheers,
    Ben
  • Not a terrible idea, but what would you be tracking? The motherboard? THe hard drive? Both?

    Far more sensible for a laptop with classified information would be to use a filesystem that stores all data on the drivce with strong encryption, and requiring a revocable digital certificate to decrypt it.

    I find it worrisome that any country's intelligence services would allow sensitive information to be carried around in cleartext. I don't know whatencrypted filesystem options there are for NT/Win2K.. maybe there is one. But I do know that there are readily available solutions for Linux and other Unix-style OSes.
  • CyberAngel already does this. It doesn't use radio that I know of (but that might be an interesting idea). It does use the modem (if the thief is dumb enough to hook it up, ANI will rat out his phone number). It can also be configured to wipe the hard drive if the unprompted password isn't entered within a certain time. And encrypted versions are also available.

    More info right here [sentryinc.com] and details over here [sentryinc.com].

    Unfortunately, no BSD or Linux version. It's just for Windows. But I'm sure someone can put something like this together for BSD and Linux.

  • Wait until GPS is available on a PCMCIA card. :) Peel the sticker off it and have your laptop quietly email you its location every 10 minutes.

    While you wait for that, try something a little more practical. Like keeping your car locked, and never letting your laptop out of your sight. Dont advertise the fact you have one, either. Its like carrying a camera bag with a big logo on the side--you're helping a theif do his shopping. But, if you want to go truly geek, have your laptop ping a known address you have access to, like your home box.

    For me, I have a very discrete black shoulderbag for my Thinkpad. Then again, i'm 6'5" 250, so, if anyone tried to yank it off my arm and run with it, I would rip their spine and beat them to death with it. Us Thinkpad owners are a bit protective of our notebooks. :)



    Bowie J. Poag
  • One laptop full of classified information I could understand.

    But two (publicly disclosed!) laptops full of classified information vanishing within a year, from different countries? Only one group in the world has the power and influence to pull that kind of stunt.

    C.H.A.O.S.!!!

    You know who to send for.
  • ...cryptography. Cheap, easy and truly secure (coz the 'black helicopters' always have bomb experts on board :-)... For the truly paranoid, there are several utilities that will use strong encryption to secure whole disk partitions (and some work flawlessly and transparently with Windows and/or Linux).

    Some utilities:

    Scramdisk [clara.net] (my personal favorite)

    BestCrypt [jetico.sci.fi]

    PGP Disk [pgpi.org]

    E4M [e4m.net]

    And to ease day-to-day operation: SecureTray [fortunecity.com] (Windows tray utility to manage encrypted partitions).

    engineers never lie; we just approximate the truth.

  • I'm still waiting for the day when I can just say that a filesystem is encrypted, enter my password once, *until the next boot, or whatever*, then have access to it.. the problem with encryption is that it's a pain to use - I GPG some stuff, but when it comes down to it, it's too much of a pain to do on a file-by-file basis.

    I was looking at cryptofs, but it'd be nice to have support for this in the kernel - yeah yeah I know - but all you people out there with terabytes of mp3's and downloaded pr0n and war3z might be interested. :)

    The point of my arguement is that it's a lot easier to guarantee the data will be secure rather than the notebook, which anyone with a pair of paws can swipe and run off with. (Maybe pass a law to allow shooting such people in the back? *humor* :) Some companies that I've worked for (Intel) already have internal policies for encrypting sensitive information on laptops. Of course, since it's a pain.....

    Kudos

  • Bit confused as to why the laptop would have to be on. The tracking device needs only to be an emitor. Fairly low power (just like the ones you can attach to cars). To add in GPS is again not a big deal, nice big area as an antenna (the laptop itself) and the calculations are fairly low power.

    Gentlemen, we have a dongle. A fixed one on the actual motherboard maybe, but still a self powered dongle.

  • >from the never-loose-it-again dept.

    ARRRRGH!

    From the pet peeve department:

    "Loose" rhymes with "goose" and "noose" and means the opposite of "tight".

    What we want here is "lose", which rhymes with "booze", "news" and "schmooze" and means the opposite of "find" or "win".

    Sorry, but I see this accursed mistake all over the Internet and I ABSOLUTELY CAN'T STAND IT!
  • You'd think that you guys would at least know how Lojak and GPS work.

    First, Lojak does not use GPS. The Lojak device remains passive once its installed. The device has to be activated by a signal (transmitted via satellite) from Lojak's control center, and they won't do that without a police report being generated. Once the device is active, it emits a tracking signal which the police can use to find the car.

    Second, GPS. GPS is a system by which you receive signals from a number of satellites with a timing signal. By knowing the locations of the satellites and the offsets of the timing signals, you can figure out where you are. The requires LINE OF SIGHT to the satellites. Too many buildings or too much heavy foliage, and GPS is useless.

    So GPS would be useless in a laptop like this. One, you'd have to have an antenna on the outside of the case. Sure, you could blend that in the with case, but that's the least of your problems. Keep the laptop under cover, or in a box, and the GPS unit can't determine where it is at all. Plus, GPS has a built in error (for civillian purposes) of anywhere from 50 to a thousand feet (IIRC), depending on what mood the military is in that day.

    OK, so Lojak. Lojak relies on the receipt of a signal from the satellites. Keep the Lojak device in a suitably shielded area, and it will never receive that signal, and even if it did, the transmitted signal would never breach your shielded perimeter. Now it's not a trivial matter to get a car shielded like that. However, a lead-lined laptop bag should work nicely.

    Not that I don't agree that a tracking system for laptops would be a great idea. Actually, something that could be used in any sort of small electronic device would be good to have.

    -Todd

    ---
  • OK, I know this is a troll, but maybe some people really don't know this--or maybe I'm just a sucker. Anyway: "umm, what the fuck is the lojack system, bud?"

    http://www.lojack.com [lojack.com]

    The idea behind lojack is this: You have this device in your car. It just sits there listening on a certain frequency. If you report your car stolen, the police signal it on that frequency, and it starts broadcasting its location. They can then find your car pretty easily.

    The reason that it works is that they got the cops in most major American cities (they claim 65% coverage) to go for it (and do all the work).

    By the way, I was wrong about the pricing. They no longer charge a yearly fee; it's just a $500-$1000 flat one-time expense.

    And yes, I think it's nice that I was able to get a real post in reasonably close to the top. Gosh, wouldn't it be terrible if you could actually read slashdot and find useful information?

  • No, it wouldn't have to be perfectly reliable. Lojack doesn't require that the stolen car be trackable all the time, just that it be trackable at some point.

    So if the thief brings the laptop to his secret underground lead-shielded lab and keeps it there, a Lojack-style system would never work. But if he brings it out into the streets, it'll be found.

    Some numbers: Lojack claims that their 65% coverage is enough to recover 90% of all Lojack-equipped cars as long as the theft is reported within 48 hours. (As opposed to somewhere under 25% of non-Lojack-equipped cars).

    So this isn't 100% effective. It's still better than what we have now (i.e., nothing).

    For laptops with really important data, you probably want to lojack the drive(s), encrypt the data (and use gigantic keys that would take even the NSA years to crack), booby-trap the device, and do everything else that's been suggested here. If the data is really worth millions of times the cost of protecting it, then as long as there's a one in a million chance of it being stolen, protect it. Simple cost/benefit.
  • Don't put extra top secret data on laptops. I mean, what the hell is wrong with these snapper heads? Laptops are extremely enticing targets for thieves anyway. It shouldn't take a great brain to realize that eventually one of those extra top secret laptops is going to get stolen.

    Aren't they supposed to handcuff the briefcases with the top secret data to themselves. And have them padlocked with exploding cyanide gas or something if someone tries to force them open? What kind of security-impared morons do they have working in the state department these days? Maybe they should give me a job. For a suitably exhorbitant fee, I'd be willing to outline some security policies for them. Feh.

  • Wouldn't it be more fun to just have a system that
    simply destroys the hardware? For example....

    Have a device that can be armed or disarmed with
    a secret RF transmitted code. If you open the
    case, without disarming...or a destruct code is
    sent (via RF) then.,...say... a small canister of
    thermite, mounted over the hard drive, suddenly
    ignites.

    Should easily destroy the hard drive, and most of
    the rest of the laptop, pretty quickly.....
    Hell...a version of this for home computers could
    be made for probably under $100

    The only real problem is deciding how much
    thermite to use...Afterall...its good to destroy
    the hard drive....burning a hole through the floor
    and the next floor down is usually considered to
    be fairly inconsiderate, at the least. (unless you
    own your own house)
  • pft! I posted this same story two weeks ago. Oh well.

    It's probably just Bill Gates. The State Department didn't have a license for their copy of Win95 (someone probably brought it in from home, and they all shared the disc) and so Microsoft took it.

  • is to just teach the agents not to leave the laptops lying around. I mean who would leave a laptop just sitting around? geez if i had a laptop i'd be guarding it with my life (most likely sitting up till all hours of the morning with a rifle expecting ppl to come in and steal it) i wouldnt leaving it lying around namby pamby in some strip joint (not that they were there, but who knows huh?) by now some guy has toasted what was on there, and put on windows 95/98 and is playing quake or what have you at this moment... (frag away my friend) perhaps i should start hanging around agents, might score myself a nice laptop. perhaps you might see it on an auction site... second hand laptop, previous owner had information vital to the security of the nation, great color lcd display, cdrom. $2000 ono.
  • I would worry about that kind of system! To work, it would have to be completely unbypassable (sp?). However, the way GPS/all tracking technology works this would cause problems. Either:
    (a) whenever the device was in a tunnel, out of signal, or whatever, you'd lose all your data!
    (b) if you allow it to lose signal without a problem, then the person who steals it merely has to block it from the signal and they can run off with it.

    How easy is it to block the signal from a GPS satellite? I heard the new units are more reliable (smaller wavelength) but I bet it still wouldn't work in the Tube :-) BY THE WAY, abusing style sheets can be fun...

  • It sounds like you know nothing too.

    I work with this stuff a lot, especially vechile tracking.

    we do it with SMS, we have a gps unit installed in the vechile, connected to a cellphone based device, which sends a SMS every 2 minutes to a central location.

    As for tunnels and stuff, this would be subject to the same limitations as normal cellphone operation.

    Best idea is the one sugested to disable the device if tampered with. Eg, if the case is opened or X amount of wrong passwords, harddrive gets wiped (properly!) or in someway disabled.

    BETTER SOLUTION... Do not allow sensitive data on laptops, keep it all on a network inside the organisation, with NOTHING being allowed to be removed on any medium.

    This is what currently happens with a well known mobile phone operator in germany. Even the floppy drive is disabled in their laptops.

    In a connected world, especially with technology such as IPsec, there is no reason why data should ever have to leave a secure server. Alan

  • by Red Leader. ( 12916 ) on Friday April 28, 2000 @01:28AM (#1105255) Homepage
    Why would the laptop have to be on, and not just the 'LoJack' unit - whatever that may be?

    Here's a neat idea (yes, I'm bored - and no, I did not sleep last night). Make a GPS receiver/position broadcaster only activate when a 'daughter' unit was not within a predifined range. That way, the LoJack system would be merely sipping at its own battery on standby, but would start transmitting its location as soon as the daughter hardware was out of range. How does that sound? Sure it requires its own battery, but it's entirely internal (Don't ask how you change the battery. I don't know. Lift up the keyboard? okay - LOCKED under the keyboard?)

    [first meaningful post?]

  • As far as reports so far have told said, the data on the laptops is encrypted -- but it's also unique. The issue is not that other people won't be able to read the data -- I don't think they can -- but that the security agency itself will have lost the data!

    Of course, if you had a system which blew up the data if it got out of tracking range, you'd still lose the data.... so maybe this is all a dumb idea on my part :-)

  • by TheCarp ( 96830 ) <sjc AT carpanet DOT net> on Friday April 28, 2000 @04:10AM (#1105257) Homepage
    FYI - At least in MY home state (MA) things are
    just a "tiny bit" different. See...the police in
    MA REFUSED to use lojack, unless certain changes
    were made to the system.

    What did they want? The police wanted the ability
    to activate any lojack at any time, for any
    reason. Guess what? they got it. If you have
    lojack in MA, the police could turn it on at any
    time, without you knowing a thing about it.

    (I am assuming by this that there are protections
    in place in other states, like its not the policebut the lojack people who transmit the code
    and need some password or mothers maiden name
    or some such to do it)
  • by shadowstrider ( 156009 ) on Friday April 28, 2000 @01:46AM (#1105258) Homepage
    The Navy Seals already have (waterproof, magnesium) laptops that have an integral incendiary device to slag all the innards. I think it can be triggered at will, but I'm not sure about it other than that. Like for instance in this case it would maybe be of use to go off after a number of bad passwords.

    As an added bonus, it would probably start someone's car or suitcase or something on fire when it triggered, which would certainly draw some attention. On that idea, booby trap them to mark anyone who tampers with them somehow maybe? Kind of like the red dye used in banks, but less obvious.

A Fortran compiler is the hobgoblin of little minis.

Working...