International Kernel Patch: The idea of the International Kernel Patch is to collect all crypto patches so that using crypto in the kernel will be easier than today. The patch includes a number of crypto patches including a crypto API including Blowfish, CAST-128, DES, DFC, IDEA, MARS, RC6, Rijndael, Safer, Serpent, and Twofish, an encrypted filesystem loopback device using the crypto API, CIPE VPN and EnSKIP patches.
SmartCards: by DESKO are not available for Linux yet. The only available laptop with a SmartCard built-in is the Siemens Scenic Mobile 800. And newly some ACER models.
User passwords: can be easily bypassed if the intruder gets physical access to your machine
BIOS passwords: are also easily crackable, though sometimes harder than with desktops. But how to do so is beyond the scope of this guide :) Some manufacturers have now a second boot password (IBM).
If you use a BIOS password/boot loader security, ADVERTISE IT! Paste a sticker (or tape a piece of paper) on the top of your laptop, saying something like:
WARNING This laptop is password protected. The password can only be removed by an authorized [manufacturer's name] technician presented with proof of ownership. So don't even think of stealing it, because it won't do you any good. |
Before you buy a second hand machine, check whether the machine seems to be stolen. I have provided a survey of databases for stolen laptops.
Laptop lock: Almost all (if not all) of the new laptops come with a slot for the lock, and if yours doesn't have one, most locks come with a kit to add a slot. One of Targus' Defcon locks even has a motion sensor, so you don't have to lock it up to a secure place, if you don't have one around.
The only drawback that I can think of is that it takes a couple extra seconds to set up or pack up your laptop. It takes about 30 seconds to snap into place and makes it impossible to quickly walk away with the laptop. It won't stop a determined thief with the time to unscrew the legs of the desk or one that wanders around with a substantial pair of wire cutters in hand, but I feel pretty secure leaving the laptop on my desk while I go to meetings or lunch.
Wellknown manufacturers of dedicated laptop locks are Kensignton and TARGUS.
Name plates: to reduce the possibility of theft, you may want to have a nameplate (name, phone, e-mail, address) made and affixed to the cover of the laptop. A nice one will cost you about $12, and can be made by any good trophy shop. They'll glue it on for you too. You could use double-sided tape instead, but glue is more permanent. So it's easy to return, but will look beaten and abused if these are removed. You may even make an engravement into the laptop cover (inside). And even better into every removable part (hard disk, battery, CD/DVD drive, power unit). If this machine ever gets to a repair office, I might get the machine back. Make sure you remember to update the plates if you move.
If you don't mind marking up a piece of equipment worth several thousand dollars, make sure your laptop has some distinguishing feature that is easily recognizable, e.g. a bunch of stickers pasted on it. Not only does it make your laptop easier to recognize, my guess is that people would be less likely to steal it.
It might even be useful to have a sticker that clearly says "Does Not Run Windows". This is at least an argument for having your bootloader stop at the bootloader prompt, rather than mosey onwards into a colorful XDM login.
Link xlock to apm services. What about setting a system such as when the laptop is unused for a while, instead of using normal apm service and suspend the machine, makes it run an xlock, disable the apm services in a way such that they do not suspend the machine automatically and start a 'laptop-protection daemon'. When the xlock disappears, the daemon is stopped and the apm services are restarted (so you might use the apm services yourself).
In the case somebody unplugs the machine while under the xlock (without giving the password), then the daemon would detect it and could start doing some preventive action, such as: - playing a sound with maximum volume saying "I am getting stolen". - this daemon could also register to a fixed local server and do a ping every now and then. If the ping stops before the daemon unregister to the server, then server then can take other actions, such as sending SMS message, starting a video camera, in the room, etc. The apm services down would make the stealer unable to use the hot keys to suspend/stop the machine, isn't it?
You can change the "pollution preventer" logo at startup on AWARD BIOSES. See instructions from Sven Geggus. For IBM ThinkPads there is a dedicated DOS utility for burning your bizcard data into the BIOS boot screen.
Boot loader: a boot loader may be used to put your name and phone number (or whatever text you choose) into the boot sequence before the operating system is loaded. This provides a label that can't be removed by editing files or even doing a simple format of the harddisk. Some boot loaders (e.g. LILO) offer a password option, which is highly recommend (note without it's very easy to get root access).
Camouflage: if you carry a dedicated laptop bag, this can be spotted by a thief easily. So think about getting another kind of bag.
Serial Number: note the serial number in a secure place. This will be necessary if your laptop get stolen.
Insurance: There are some dedicated insurances, see my page Database of Stolen Laptops.
Use of software that connects and identifies itself: As far as I know there was an old DOS utility that did something like this. It embedded itself into the bootsector and upon a certain keycombe it would throw a serial number onto the screen and play an audio code through the speaker (in case th monitor was no longer usable for whatever reason). You were supposed to register the serial number with the company that produced the utility.
The laptop can send a mail with its real IP address if connected (mail with a print of ifconfig started by /etc/ppp/ip-up or by a cron job (if connected at a company-network).
Always remove the external devices and secure them in another place/room. Set the BIOS to boot on the hard disk first as a default setting and remove boot on other devices if possible. Also try to plug the power supply in the least accessible plug. So if your machine get stolen in your office the 'quick way' (e.g. during a 5 sec. cigarette break), the stealer won't perhaps have time to get the power supply, neither the time to get the drives. Perhaps he/she will end up with a less useful laptop and you may recover it.
Electonic Devices (Transponders): There are also devices available, which can be detected remote via satellites, see my page about stolen laptops for a survey.
Your primary goal is to prevent your laptop from being stolen in the first place. Your secondary goal is to recover it after it is stolen. Report it to the police station ASAP. Check the local newsgroup (in case...) or even post in it.
I have provided a survey of databases for stolen laptops.
The chapter about theft protection has taken some advantages from ideas of Lionel "Trollhunter" Bouchpan-Lerust-Juery and a discussion, which has taken place in the debian-laptop mailing list in January 2001.