On laptops, sexy pictures, and encryption


There is an article in this morning’s Globe and Mail about a scandal that started when a movie actor took his laptop in for repairs. It seems that Edison Chen, a Vancouver actor with a strong following in Asia, was having trouble with his MacBook and took it in for repairs. Well, his hard drive contained 1,300 explicit photos of Mr.Chen and various sex partners, and someone at the repair shop decided to take copies and post them in the Internet.

The article goes on to quote Jesse Hirsh, described as a Toronto technology expert, who suggests that people should avoid taking their computers to a repair shop. Instead, they are supposed to “look for someone who makes house calls, and even pay close attention.”

I find this advice to be ludicrous! First, finding a good repair shop is hard, and finding one that will make house calls is even harder. Second, given that this was a laptop, it is likely that repairs will be needed when the owner is away from home, making house calls even more difficult to arrange. Third, it would be very difficult to watch a technician closely enough to be able to catch them copying your files to a USB drive, CD, or onto the Internet.

Most importantly, this advice does not address the fundamental problem – the photos were stored in a manner where they could be copied. If the photos had not been copied at a repair shop, they could have been copied when the laptop was lost or stolen. The news is full of stories about lost laptops containing large amounts of valuable information, and yet the message is not getting across.

Laptops, because they are portable, are easily lost and stolen. Plan for it. Adopt a plan for your laptop that says that nothing will be stored on it that cannot be lost. This means never having anything on a laptop that is not also somewhere else, be it another computer, or a USB stick, or an external hard drive.

It also means never having anything on a laptop that cannot be viewed by the world. Private information, such as sexy photos, should be encrypted. When the information is encrypted, it cannot be viewed by anyone who does not have the key. The files can be lost, stolen, and even posted on the Internet, but it people don’t have the key, then the information is useless.

Encryption tools are provided in many modern operating systems, including OS X used in the MacBook. FileVault can be used on the Mac to encrypt a user’s home directory, and the Disk Utility can be used to create a disk image for storing encrypted files. Other options include TrueCrypt, which is free and available for Windows, Mac, and Linux, and the products offered by PGP Corp.

Sure, encryption technology can be hard to setup, but it really is a necessity for laptop computers. Whole-disk encryption is better than encrypting certain folders since temporary files stored automatically by the operating system might also contain sensitive information (e.g., temporary copies of your mailbox), but encrypted folders are better than nothing.

And this brings us to our second piece of news. Disk encryption is not fool-proof. New research out this week from Princeton University shows that if a computer can be accessed while it is running, or in standby mode, then it is possible to copy the encryption keys from the memory. In fact, the keys stay in memory for a brief period of time (up to 10 minutes in special conditions) even after the computer is turned off. The lesson is to turn your laptop off when it is not in use and not to store it in standby mode.

There is no excuse for storing sensitive information on laptops, or any computers, without protecting it with encryption. If you are not using encryption now, it is time to start.

5 thoughts on “On laptops, sexy pictures, and encryption

  1. Andrew

    @Benjamin:

    I don’t think the specific vulnerability of keys being available briefly in dynamic memory is an argument against mandating encryption. As my colleage Jon Callas of PGP Corp. has said, this is an “edge condition” that occurs rarely:

    Callas still thinks the attack is an “edge condition” attack — meaning that it’s an attack that relies on specific and not-common situations. In this case an attacker would need to get access to a computer while it was at the traditional login prompt or within minutes of it being shut down.
    http://blog.wired.com/27bstroke6/2008/02/encryption-stil.html

    I do think that there are other arguments, as you point out in the article you reference. Mandating encryption makes no sense without understanding the entire business process and the complete threat model. I do think that encryption is under-used in many cases, but it is not a magical technology that will fix everything.

  2. Jesse Hirsh

    Hi Andrew, I agree with your points re: using encryption, which even in the face of the news you cite, is still worth the trouble.

    I however disagree that it’s difficult to find someone who is skilled, trustworthy, and willing to make house calls. Certainly here in Toronto such people are in abundance if you’re willing to look. I also disagree with your rejection of my suggestion that education be part of the process. I feel if you’re paying someone to work on your computer they should also walk you through what they’re doing so you can be empowered by the process.

    -jesse

  3. Pingback: Andrew Patrick » Very expensive computer repairs

Leave a new comment (all comments are moderated):

Your email address will not be published. Required fields are marked *