LoJack option -- is it in BIOS or on hard disk only?

[claudeo]

Does anyone know whether the Lojack/Computrace option for the TP60 is in the BIOS and would survive the replacement or reformatting of the hard disk?

Also, it seems that it won't run unless the thief can actually get Windows going, which means that if the first 2 layers of CSS security (Power on password, boot password or fingerprint) work, then it will never be activated. Is that correct?

[snife]

i'm in emea so we cannot utilise the computrace option but as far as I remember it is on the system board, that is the whole point of it, that it can survive a reimage I think.

If your that security consious then you would have our data encrypted anyway and if any thief is clever enough to get beyond the supervisor (would involve replacing the chip) then I would assume the computrace thing won't work anyway so I'm personally not sure of the value of it if you secure a machine in the other ways

[claudeo]

There are two aspects to this: recovery and data protection. Having just lost a laptop in a home burglary, I started looking into this much more closely for my next laptop. Many laptop thefts are opportunistic and by people who are not that smart. They are probably much more interested in selling the machine for cash or using it for their own purposes than in mining it for data. This is where the lojack feature is most useful, since it can lead to a fast recovery of the machine.
Then there is the issue of data protection, and there of course the other features are very useful. But this obviously requires a layered security approach. I had a sour experience with trying to password protect the disk (machine broke, lost all data), and I'm a bit leery of whole disk encryption in general. I'd rather see some standard, BiOS settable feature that automatically encrypts designated parts of the hard disk or even deletes the data if as soon as it detects too many failed attempts to break through the initial security. Those services are now being sold by absolute (CompuTrace Plus, etc.) and other vendors, but they depend on the machine being able to call home. With a ThinkPad they all seem to depend on the bad guys being both smart enough to break through the BIOS security in order to launch Windows, and dumb enough to not simply take the hard disk out for analysis.

[MobileGuru]

Computrace is Bios driven.

MG.

[claudeo]

I did a bit more digging. According to this document there is now a Computrace stub in the Thinkpad BIOS, which only gets activated if you buy the Computrace product. The documents don't mention lojack though, only the more expensive Computrace corporate services. Interesting... Does anyone have experience with this?

[MobileGuru]

I've used it in the past, but I'm not an active subscriber. Overall its a good way to track a stolen machine assuming that it eventually gets connected to a network in some fashion. If the box is stolen and never hooked up to the web, it's like a tree falling in the forest, cause nobody hears it.

BUT

If the thief attaches the machine to the web, or the buyer of said stolen goods, it sends out a happy little chirp to the tracking server telling it where to look via IP address. Nifty idea, but potentially useless if the unit is stripped down for parts or never connected to the web.

The good side of this is that Computrace typically offers a cash back guarantee if they cannot recover the machine, which is more like an insurance policy than anything else.

MG.

[EOMtp]

... there is now a Computrace stub in the Thinkpad BIOS, which only gets activated if you buy the Computrace product. The documents don't mention lojack though, only the more expensive Computrace corporate services. Interesting... Does anyone have experience with this?

You are correct that the BIOS component applies only to the Computrace product. When the service is activated, the software "pushes" data into a special region of the BIOS indicating to the persistent module in the BIOS that the service is on. Thereater, even if the hard drive is replaced, if the BIOS module does not find the .DLL it wants in the Windows\System32 folder, it uses Windows's TCP/IP stack to "call home" and self-heal. Note: The BIOS component cannot do its work if Windows is not running.

If one no longer wants the BIOS component active, i.e., if one wants to disable it after it has been activated, one sends an e-mail to the service requesting termination of service, and - if approved - the BIOS component is told upon the next "call home" to disable itself.