A few days ago, someone mugged one of our tech writers outside her
apartment building.
She had a laptop computer that was company property, and which
contained among other things, an application the company licenses
to registered users at a quarter-million dollars a pop, in a
release-candidate version that we're not going to be sending out
to customers until it's been in testing and doc for another couple
of weeks.
And all the docs for it (up to that date),
And a list of license keys corresponding to various configurations.
These license keys are decrypted by the software so it can find out
what it's authorized to do on behalf of the user - of course the QA
department and Documentation group need a wide variety of them --
including some that would sell to paying customers for upwards of
a million dollars.
So, there was a board meeting, and some board members and major
investors waxed wroth. Odds are, the drive got wiped within hours
of being swiped. Odds are, the laptop is sitting somewhere in a
pawnshop and the damage to the company has been limited to the
cost of a single laptop computer.
But slightly longer odds have a much MUCH higher cost to the
company: if the mugger realized what the hell he had in his hands,
he could match my annual salary by selling it to one of our
competitors. If the mugger was hired in the first place by one
of our competitors, then... that's not good either. And of
course, if he's willing to face a bit dicier risk profiles, and
has criminal confederates inside some Fortune 500 companies, he
can track our sales and marketing force, and try to undercut
us with pirate versions of our software and potentially cost us
millions in sales. These are in order of decreasing probability,
and the last, while only very remotely likely, is pretty disturbing.
And I was sitting there, listening to all the worst-case scenarios,
and thinking, "Damn, I wish we had laptops with solidly encrypted
hard drives." Enter the key, boot the machine. Wrong key, hard
drive appears to be full of random garbage. Encryption handled in
the BIOS.
The BIOS password protection is garbage for protecting hard drive
contents - the hard drives are unencrypted and can just be popped
out and stuck into a different laptop of the same model.
Bear