There is an article in this morning’s Globe and Mail about a scandal that started when a movie actor took his laptop in for repairs. It seems that Edison Chen, a Vancouver actor with a strong following in Asia, was having trouble with his MacBook and took it in for repairs. Well, his hard drive contained 1,300 explicit photos of Mr.Chen and various sex partners, and someone at the repair shop decided to take copies and post them in the Internet.
The article goes on to quote Jesse Hirsh, described as a Toronto technology expert, who suggests that people should avoid taking their computers to a repair shop. Instead, they are supposed to “look for someone who makes house calls, and even pay close attention.”
I find this advice to be ludicrous! First, finding a good repair shop is hard, and finding one that will make house calls is even harder. Second, given that this was a laptop, it is likely that repairs will be needed when the owner is away from home, making house calls even more difficult to arrange. Third, it would be very difficult to watch a technician closely enough to be able to catch them copying your files to a USB drive, CD, or onto the Internet.
Most importantly, this advice does not address the fundamental problem – the photos were stored in a manner where they could be copied. If the photos had not been copied at a repair shop, they could have been copied when the laptop was lost or stolen. The news is full of stories about lost laptops containing large amounts of valuable information, and yet the message is not getting across.
Laptops, because they are portable, are easily lost and stolen. Plan for it. Adopt a plan for your laptop that says that nothing will be stored on it that cannot be lost. This means never having anything on a laptop that is not also somewhere else, be it another computer, or a USB stick, or an external hard drive.
It also means never having anything on a laptop that cannot be viewed by the world. Private information, such as sexy photos, should be encrypted. When the information is encrypted, it cannot be viewed by anyone who does not have the key. The files can be lost, stolen, and even posted on the Internet, but it people don’t have the key, then the information is useless.
Encryption tools are provided in many modern operating systems, including OS X used in the MacBook. FileVault can be used on the Mac to encrypt a user’s home directory, and the Disk Utility can be used to create a disk image for storing encrypted files. Other options include TrueCrypt, which is free and available for Windows, Mac, and Linux, and the products offered by PGP Corp.
Sure, encryption technology can be hard to setup, but it really is a necessity for laptop computers. Whole-disk encryption is better than encrypting certain folders since temporary files stored automatically by the operating system might also contain sensitive information (e.g., temporary copies of your mailbox), but encrypted folders are better than nothing.
And this brings us to our second piece of news. Disk encryption is not fool-proof. New research out this week from Princeton University shows that if a computer can be accessed while it is running, or in standby mode, then it is possible to copy the encryption keys from the memory. In fact, the keys stay in memory for a brief period of time (up to 10 minutes in special conditions) even after the computer is turned off. The lesson is to turn your laptop off when it is not in use and not to store it in standby mode.
There is no excuse for storing sensitive information on laptops, or any computers, without protecting it with encryption. If you are not using encryption now, it is time to start.