“Lose your laptop, lose your life.” It’s a slogan worth remembering, because the loss or theft of the information on a computer has ruined more than one life.
According to an interview in People Online, actress Margot Kidder, the Lois Lane to Christopher Reeve’s Superman, was found living on the street in a delusional state several years ago. She said one of the things that pushed her over the edge was that a virus destroyed the files on her laptop, including the only copy of a book she had been working on for three years.
Closer to home, buzz in the Calgary computer community is that the laptops of not one but two corporate CFOs disappeared a few months ago, right at the time when their companies were having critical merger talks.
The information on them could have been worth a fortune to someone wanting to make a quick buck in the market. So, while losing your laptop may not actually kill you, you might wish you were dead.
Recently, Progressive Conservative Leader Joe Clark joined the roster of victims. Apparently, his press aide Stacey Gray’s missing laptop contained as-yet unrevealed material about the Prime Minister’s conduct in the so-called Shawinigate affair.
As best we can tell, the machine was password-protected, but it’s reasonably easy to break that simple lock if you have possession of the computer and really, really want to.
Clark’s official reaction was mainly wishful thinking, along the lines of “maybe they just stole it because it’s an expensive piece of hardware.”
Sure, that’s a possibility, but the information on board that box is thousands of times more valuable than the box itself . . . in the hands of the right (or wrong) people.
Traditionally, we’ve seen a forced tradeoff between security and functionality. It takes extra work, both human and computer, to be continually encrypting and decrypting, typing in passwords and checking them, and worrying about security breaches.
In a perfect world, we’d all be happy and trust each other and there’d be no need for computer security (or door locks, for that matter.) Those with enough gray or missing hairs to remember the 1960s may recall that is precisely what it was like in those big mainframe computer rooms.
There was painfully little isolation between programs, so Bob’s job could easily overflow its memory bounds and wipe out Sally’s and Sam’s. We actually used to resort to booking entire multi-million dollar computers, just so we could test a problem in proper isolation.
Still, people’s programs stepped on each other, and there were fistfights in the machine room between graduate students whose data had collided.
How exactly can Joe Clark, and people like him, protect confidential data on a computer, whether it’s a laptop or a desktop? There are a number of strategies, all of them useful though none of them perfect.
* Security Through Obscurity.
You might just hide away confidential information in routine or meaningless filenames. The downside is that even Windows 2000 on a decent computer is powerful enough to go searching through gigabytes of hard disk, looking for key words like “Bre-X” or “merger.”
* Password Protection.
Major applications such as Microsoft Word allow you to password-protect your work. It’s not the ultimate form of security, because there are known ways to break it, but it’s better than nothing.
* Thin Client Accesses Remote Data from Secure Host.
This has the advantage of physically moving the data off the laptop, to a more secure place like a mainframe. But let’s not be too hasty here. When you use your laptop to connect to the remote host, your data passes through it, however briefly. This can open up a security hole.
* On the Fly Encryption.
Special purpose machines, such as those used for military applications, employ hardware encryption/decryption routines to secure information. For us mortals, we have to go chase down software to do this, then remember to enable it, then remember to remember our passwords.
It’s difficult to endorse a particular vendor, but the SecurityPlus! Product from Softbyte Laboratories seems to be on the right track. It allows whole programs to be encrypted, and run from a “Secured Access List.”
And of course, those sensitive data files can also be encrypted, regardless of format. So, whether it’s your tax return or the “art collection” you don’t want the kids to see, this tool should hide them well. I haven’t given it a rigorous test, but for $29.95 retail cost online you’re not risking a lot by trying it.
Of course, the time may come when a user with important files under encryption forgets his or her password.
Or the person leaves the company on less than happy terms, and just doesn’t feel like uttering that password.
Oh, you could take the delinquent to court, but that might take months and you need your data now.
This argues for a product that supports “administrative password recovery,” in other words, that gives the boss’s henchmen a back door, hopefully to be used only in emergencies. One such product, PC Guardian offers a 30-day free trial. Just don’t lock yourself out of your own computer — that would be a career-limiting move, especially if you’re the designated security officer.
To address the security issue in a more systematic way, we at the University of Calgary are designing a suite of short courses, as well as some exciting new certificate programs in this area.
They’ll be constantly changing, because the world is changing, but you can find the latest at the first link shown below. And if you’d like to be kept abreast of the latest offerings, just send an email to zak@ucalgary.ca Remember, the next laptop to be stolen just might be yours!
Web Watch:
www.ucalgary.ca/cted/esecurity
www.softbytelabs.com
www.pcguardian.com
