Protect Your Data At All Times
Thanks to both Chris Penn and C.C. Chapman for pointing this article by Bruce Schneier out:
Last month a US court ruled that border agents can search your laptop, or any other electronic device, when you’re entering the country. They can take your computer and download its entire contents, or keep it for several days.
I won’t set foot down the “we’re becoming a police state” path, I just want to focus on what this means for traveling musicians and businessfolk. So, to quote the legendary Dick Clark:
Protect your ass at all times.
If you haven’t figured out by now that Geek Squad, Apple technicians, and any other hardware support people can (and typically will) copy your music library for their own personal collection (if not your entire hard drive), then you’re just not paying attention. Heck, even auto mechanics will rip all the CD’s in your car if you leave it with them overnight.
The best solution for us Mac people has got to be the sparse disk image. Using Disk Utility, you can make a file that acts just like a disk- a 256-bit encrypted password-protected disk. That’s the kind of protection that requires a supercomputer to unravel. If the government thinks you’re a terrorist, they can get past it, but the time and computing power necessary will be reserved for more than casual use.
What about FileVault? If you’ve used it for more than a week, you’re probably sick of it already. It’s slow, cumbersome, and breaks a lot of the Mac’s functionality (like Automator). A sparse disk image is only as big as the files you store in it (unlike regular disk images) and gives the same level of software encryption.
So if you have sensitive financial data, intellectual property, trade secrets, or that DVD rip of Hot Grannies In Thongs IV (you’re weird, by the way), you can at least protect yourself from casual snoops and identity theft by keeping it all under lock and key… without having to lock down your entire hard drive.
Any other recommendations? Please discuss. Any America-bashing or even government-bashing will not be tolerated, so please remain civil.
May 16th, 2008 at 8:47 am
Definitely some valuable advice! One alternative to the Disk Utility solution is an Open Source product called TrueCrypt (http://www.truecrypt.org/). It supports AES-256, Serpent, and Twofish encryption algorithms and offers versions for Windows, Mac and Linux platforms. Its a great solution for encrypting your USB sticks as well!
Cheers, Jeff
May 16th, 2008 at 11:21 am
Good advice - I’ve been meaning to do this for a while, but this post pushed me to get it done. I am just wondering though what would happen if you had multiple accounts on your laptop. Would they even think to ask you to log into them all? For example, if you had a second account on the computer that you never used and logged into that one when asked, would they even realize that they weren’t seeing all your files? Maybe you could even log them in to the disposable “Guest Account” on Mac OS X and see if they notice!
May 16th, 2008 at 11:23 am
Strictly speaking, AES-256 is the kind of encryption that would take a universe-sized computer billions of years to crack.
The fastest crypto-cracking computer known can crack a DES key in 22 hours, 15 minutes. It was purpose-built to do just that and cost $250,000. If we could build a general-purpose machine that would crack a DES key in one second and that could crack AES just as efficiently, that machine still wouldn’t be able to crack AES-128 before the heat-death of the universe. It would take the majority of the estimated energy in the universe to power the machine, and you still wouldn’t get anywhere. AES as a whole is stupefyingly secure.
FileVault actually uses an AES-128 sparse volume to store your home directory. When you log in, the volume’s key is decrypted using your login password, and the volume is mounted. It operates in exactly the same way as a separately-created sparse disk image.
The problem with FileVault and with encrypted images on Macs in general is that modern Macs do something called SafeSleep. It’s a cross between suspend and what Windows calls Hibernation. Essentially, the contents of RAM are written to the disk and the system is put to sleep. If power is maintained, the system resumes from RAM. If it loses power at some point (like, say, you change the battery on a laptop), it resumes from the sleepimage on the disk.
Do you see the problem here?
If you use FileVault or an encrypted disk image, the encryption keys are stored in your RAM. If you put your computer to sleep, the keys in RAM are written to your disk in plaintext. Not only that, your login password is stored in RAM and it is also written to disk in plaintext.
Yes, encrypted images may be enough to prevent casual snooping, but you really need more to protect against someone who wants to get at the data. Plus, that’s a fantastic way to get on the no-fly lists.
May 16th, 2008 at 1:03 pm
I should have specified a universe-sized traditional computer. Quantum computing is a whole different beast, but it will probably break all current crypto pretty equally.
May 17th, 2008 at 10:23 am
Huh?