file security on T42

[zver17]

I am curious about file security on T42. What exactly is the "security subsystem", "active protection system" and what is the difference between "admin" password (same as "supervisor" password?) and power-on password and HDD password?
my understanding is that winXP passwords can be bypassed simply by reinstalling windows on top of the existing one, whereas HDD passwords require more special software. What would the next step be in beefing up data security? What about EFS - does it provide any further protection beyond that given by the HDD password? I read somewhere that it can be bypassed fairly simply. I realise more generally no security is bomb-proof, so I am just looking at that break in the security vs cost/inconvenience curve beyond which things just get too complicated to maintain.
many thanks
z.

[erik]

the short answer is to not leave your thinkpad without bios and power-on passwords and don't let it get stolen.

the windows password can be reset if rebooted with certain linux-based software, making the power-on password crucial.   the hardware passwords can be reset if the thinkpad is stolen and the thief has the knowledge and hardware available to reset those passwords -- but, that's usually risky.   i don't know enough about the hard drive password to know what happens if that drive is installed in a non-ibm system which can read the drive's partitions.

ibm's active protection system is a gyroscopic sensor that monitors the hard drive's attitude and unmounts the read/write head in the event of shock or if the thinkpad is dropped.

hope that helps.

-erik

[zver17]

thanks - very informative.

do you know if the power-on password is HDD-based or motherboard-based? Ie, does it remain useful if the laptop is stolen? that is the scenario I would be more concerned with.

From what I see I can have 4 passwords in a row operating at 4 distinct levels : power-on, BIOS, HDD and windows.

In addition, presumably smart-cards coud be used with HDD encryption - would they provide a further, different kind of protection?

btw, i am not totally paranoid - just wanted to understand it better once and forall.

[s0larian]

There are 3 passwords you can configure in the Bios:

1. User Password: not safe at all, can be resetted through the cmos battery
2. HD Password: stored on the HD, pretty safe, but there are companies who can recover the content (with destroying the HD)
3. Supervisor password: for the Bios Access. If you know it, you need a new motherboard. I don't know if there is a workaround.

If you want further security: use Utimaco Safeguard Easy for full HD encryption. For Backups it works with IBM Rescue and Recovery (IBM and Utimaco have a partnership)