Security strategies?

[EatMorGlue]

I've been thinking about getting a tracking program like computrace to help me recover my T42 should it get stolen. But in thinking about how those programs work, it made me wonder whether setting power-on and HD passwords would actually make it more difficult for those programs to actually do their job.

So this got me rethinking security strategies. If somebody stole my laptop, isn't it easier for them to throw in a new HD rather than trying to get past a slew of passwords? And if that's the case, wouldn't it be better to have relatively light security so that it's easy for them to load up XP and allow the trace program a chance to work?

I don't have client information or trade secrets or any highly sensitive information on the computer, so I'm not greatly concerned about people accessing files on my HD. (I don't know, should I be?) It's a personal computer for school and not a company computer for work; if somebody steals my laptop and wants to read my thesis on Kafka, well, I just wish they would let me know what they think when they were done.

I don't know what my question is here really. Does more security really mean the best security? Does making it more difficult to access the HD conflict with the goal of a trace program, to let the thief access the HD and hopefully the internet? Is it very difficult getting past power-on/HD passwords? How does the ESS chip figure into any of this?

[jdhurst]

If you put a Hard Drive password on the hard drive, no one is going to be able to start the machine. Supposedly, it can be done, but it takes special equipment so far as I know. So secure the box with a password and then make sure you insurance covers it. Keep the machine backed up, and should it be lost, just get a new one. ... JD Hurst

[Ground Loop]

If I understood the Hard Drive Password correctly, it's actually stored in the IDE drive itself. Moving the drive to another computer will require the same password.

Likewise, replacing the drive will get rid of the password.

What about the Power On Boot password? This is done at the BIOS level, so it's before any hard drive is accessed.

The fingerprint scanner makes it a very minor hassle at boot time, and then passes the credentials down to Windows to make it up to you.

Are there any know procedures for resetting the boot password?

If the thief cares nothing about your data, they could flush the fingerprints from memory, reset the Security Module (losing all keys), and replace the hard drive, but hopefully they're still stuck at the boot password.

That's the point, right?

[GomJabbar]

If you look in the Hardware Maintenance Manual under 'Passwords', it indicates the following:

(1) Power on password prevents unauthorized person from powering on the laptop. This can be cleared without too much difficulty by a semi-knowledgeable person if he does the research to find out how.

(2) Hard disk password - there are two types - a user hard disk password and a master hard disk password. Laptop can be used by an unauthorized person by replacing the hard drive.

(3) Supervisor password prevents an unauthorized person from entering the BIOS setup utility.

Many ThinkPads have the security chip installed and if you want extra security besides the above, you can download the Client Security Software from IBM/Lenovo - which is used in combination with the security chip. I believe with this, you can completely lock-down your laptop from any unauthorized users, unless they are willing to replace the system board. I am not 100% sure about this however.

[r50cheapskate]

Re: trace programs. I'm not sure I'd want my computer or car back after theft. In fact, I'd prefer a total loss and replace it. It would feel like it's been contaminated if I got it back.

For the longest time, I defeated all security measures with TweakUI, but I've reconsidered that now that my computer is mobile and not a desktop. Even then, considering a maintenance guy (fired upon discovery) who helped himself to a few hours of pay-per-view cable in a neighbor's apartment, I'm not sure even a desktop is safe. Nice world we live in. I'm going for the fingerprint reader next time.

[Ground Loop]

(1) Power on password prevents unauthorized person from powering on the laptop. This can be cleared without too much difficulty by a semi-knowledgeable person if he does the research to find out how.

Nobody has ever called me semi-knowledgable, but I'm doing my research.

It would seem that most of the software tools out there to fetch the Power On password require that the computer be able to, you know, boot and run software.

Any actual bypass (from power off) would require some kind of hardware/button/jumper trick.

So far I can confirm that the CMOSPWD program claims to fetch the Thinkpad Boot PWD, but actually does not. It shows an empty string on my laptop. Anyone get it to work?

http://www.cgsecurity.org/index.html?cmospwd.html

Of course, it's academic unless your computer is still on (standby/hibernate-without-password).

(3) Supervisor password prevents an unauthorized person from entering the BIOS setup utility.

This seems like it would be irrelevant if a boot password is selected. This might be more useful to someone who just doesn't trust the person using the machine to stay out of trouble.

Many ThinkPads have the security chip installed and if you want extra security besides the above, you can download the Client Security Software from IBM/Lenovo - which is used in combination with the security chip. I believe with this, you can completely lock-down your laptop from any unauthorized users, unless they are willing to replace the system board. I am not 100% sure about this however.

I haven't enabled the security module yet, but my understanding was that it protects your data, but not your machine. A thief could go in anytime and reset the security module and wipe out the encrypted files. It won't keep them from using the machine, will it?

[GomJabbar]

Any actual bypass (from power off) would require some kind of hardware/button/jumper trick.

That's it.

[EatMorGlue]

Thanks for the responses everyone. I feel like I've got a little better understanding of the reasons for all those [censored] passwords I had to make up.

Re: trace programs. I'm not sure I'd want my computer or car back after theft. In fact, I'd prefer a total loss and replace it. It would feel like it's been contaminated if I got it back.

Hmm... good point.

So secure the box with a password and then make sure you insurance covers it. Keep the machine backed up, and should it be lost, just get a new one.

I'd like a little more info about this... What kind of insurance would cover it? I'm guessing home, but would it still be covered if it got stolen while I'm out and about?

[Toe]

Just as a side note, I think you'll like this:

I'm an IT student at PSU. Our staff gets thinkpads free, I so envy them. Not those things take a lot of abuse, and we ended up some of them. Anyways, we got all of the "dead" thinkpads back up and running....expect for one with a BIOS password. We tried for months to figure that thing out, finally locating a step-by-step guide. If I recall it had some wire cutting with it, so I called it quits. We now use that laptop as spare parts, and a door stop.

I'd say a BIOS password.....or a GPS tracker if you get too bored

-Toe

[michaelj]

I went through the same deliberations as EatMorGlue. Should I get computrace or not? I called a tech at IBM for advice. He advised against the Security Chip saying it can get really complicated. He suggested the BIOS password, which I have now used for 2 months without a problem, and with very little extra hassle. (I should add that I don't have the finger print reader so that was not an option- but I have heard some mixed reports about it anyway).

I realize that if the thief gets the laptop, my data could still be at risk if he/she swaps out the disk drive to another laptop, but I feel most thieves are really only interested in a working unit.

As a result, I image my o/s to a mini USB drive every week or so, using the excellent IBM R&R application, and back up my data separately at the same time.

I doubt that I could get insurance that would cover me for loss from, say, a car, even if the TP was in the trunk at the time, and would certainly never cover me if I left the unit unattended. With my particular lifestyle, the only way I could see myself losing the unit was either after it went through an airport scan while I was stuck on the other side being frisked, or if I got mugged. I try and make sure that I have no metal on me when I go through the airport scan, and I decided to buy a backpack to try and camourflage what I'm carrying when out and about on the subway.

I think that the BIOS password is the best security measure, doesn't slow the machine down, and just depends on me not forgetting my password, which, incidentally, is not a dictionary item.

[r50cheapskate]

Homeowner's/renter's insurance should cover the loss of a computer due to theft or covered damages. Forgetting it at a restaurant is considered theft. Dropping it on the street is not covered. BUT, as I understand it, it is strongly recommended that a (very cheap) rider be purchased specifically for the computer (as with any high-value, portable items like custom bikes, jewelry, etc.).

This topic probably doesn't belong under Windows OS anymore, but it's a legitimate tangent. Were I to lose my computer ($1500 once new hard drive arrives, cheap I know), I'd not claim it. Your insurer will drop you for even inquiring about the loss, even if you don't file a claim. In the big picture, computers are cheap and replaceable. Insurance that covers the big stuff is not.

[keku]

About Insurance I can answer

HomeOwner's Policy covers your personal computer(laptop/desktop) against theft. somebody stole my previous laptop from my car at Disney parking lot. I called cops securityand reported it.
When I was back I called my insurance agent and he told me to file a claim. I got cost of new laptop - my deductable (500).
Agent told me my policy cover personal property loss anywhere in world.

I ended up with a huge loss of data and 500. (I was suppose to take backup before leaving but didn't have time to).

One of my friend forgot his password, her tried every single utility to retrieve this supervisor password and he couldn't do it on thinkpad. He tried going deap in harware and ended up fried motherboard.

[Nolonemo]

With some policies you can get insurance riders for cameras, etc., that will cover against accidental damage as well as theft/loss. I had a video camera replaced that way.

BTW, filing a $1500 claim with your insurance company won't cause them to cancel your policy unless they're such a sleazy outfit you don't want to trust your security to them in the first place....