the experience i have with bios password etc is positive - it prevents casual snooping by passers-by spotting a desktop/laptop in an unattended office
but not laptop theft! As for "I think the largest market impact of everyone enabling BIOS and HD passwords would be a sharp spike in demand for help desk staff :) ", while the tongue in cheek is appreciated, the easy workaround is the usual paper copy in an envelope with the local guard/departmental secretary etc... to spare users the hassle with helpdesk and which also prevents a casual snooper posing as a legitimate user calling a distant call-centre (these days in often another country) from duping the helpdesk into revealing the firmware passwords. Albert J Caruana Dr rer Nat 2007/6/4, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > Send FDE mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.xml-dev.com/mailman/listinfo/fde > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of FDE digest..." > > > Today's Topics: > > 1. Re: hard disk p/w protection - secure? (Crispin Cowan) > 2. Re: hard disk p/w protection - secure? (Allen) > 3. Re: hard disk p/w protection - secure? (Crispin Cowan) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 03 Jun 2007 14:22:12 -0400 > From: Crispin Cowan <[EMAIL PROTECTED]> > Subject: Re: [FDE] hard disk p/w protection - secure? > To: [email protected] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=windows-1252 > > Martin Forest wrote: > > > > With the correct forensic tools, you can recover all data on the disk, > > unless the disk is encrypted. It will cost you a few thousand dollars > > as it is not just as simple as connect the disk to another computer. > > You basically have to dismantle the disk and use specific equipment to > > recover the data. The HD protection will probably prevent a normal > > person from getting the data, but if you have ?classified? information > > on the computer, someone may find it worth spending the money to get > > to the data. > > > > I still like both bios and HD passwords. If everyone set it, the > > market for stolen laptops would be small(er)? > > > Why would that be? I strongly suspect that 99.99% of the market for > stolen laptops is the hardware and nothing else. A stolen laptop > probably doesn't even get a cursory glance before it is formatted with a > new Windows install. > > It costs organizations big $$$ when a laptop with sensitive data on it > is stolen, but that is because they don't know for sure that it has been > fdisk'd. > > More over, if everyone used BIOS and HD passwords that would .... hmmm, > not do much at all: > > * No effect on the market for stolen laptops, see above. > * Nearly no effect on the cost of recovery if sensitive data is on a > stolen laptop: it just sets a lower bound on the value of the data > you can disregard. If the value of the data is below the $2K it > costs to recover the drive, then ignore the incident, otherwise > proceed with your press release mea culpa > > I think the largest market impact of everyone enabling BIOS and HD > passwords would be a sharp spike in demand for help desk staff :) > > Crispin > > -- > Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ > Director of Software Engineering http://novell.com > AppArmor Chat: irc.oftc.net/#apparmor > > > > > ------------------------------ > > Message: 2 > Date: Sun, 03 Jun 2007 21:05:37 -0700 > From: Allen <[EMAIL PROTECTED]> > Subject: Re: [FDE] hard disk p/w protection - secure? > To: [email protected] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=windows-1252; format=flowed > > > > Crispin Cowan wrote: > > Martin Forest wrote: > > [snip] > > >> person from getting the data, but if you have ?classified? information > >> on the computer, someone may find it worth spending the money to get > >> to the data. > > Since the growing wave of data theft is motivated by financial > gain I suspect that laptops from large companies and government > agencies will be targets so the data will have potential value. > > >> I still like both bios and HD passwords. If everyone set it, the > >> market for stolen laptops would be small(er)? > > Since bios passwords can be defeated easily and it is relatively > trivial to buy a matching HD to mount the platters in, unless the > HD password somehow locks the sectors, it is not expensive to > recover all the data. (This is how a drive is recovered when the > head mechanism dies and they do not want to risk rubbing the > oxide off.) > > > Why would that be? I strongly suspect that 99.99% of the market for > > stolen laptops is the hardware and nothing else. A stolen laptop > > probably doesn't even get a cursory glance before it is formatted with a > > new Windows install. > > I would agree for the average theft; however, there is a long > history of industrial espionage that we must keep in mind. I > suspect a market will develop for stolen laptops for their > content much like there has for credit card numbers, etc. > > > It costs organizations big $$$ when a laptop with sensitive data on it > > is stolen, but that is because they don't know for sure that it has been > > fdisk'd. > > > > More over, if everyone used BIOS and HD passwords that would .... hmmm, > > not do much at all: > > > > * No effect on the market for stolen laptops, see above. > > * Nearly no effect on the cost of recovery if sensitive data is on a > > stolen laptop: it just sets a lower bound on the value of the data > > you can disregard. If the value of the data is below the $2K it > > costs to recover the drive, then ignore the incident, otherwise > > proceed with your press release mea culpa > > Actually there is one market you are forgetting - blackmail. How > much would megabucks corp pay to keep their name out of the > papers over embarrassing disclosures? > > We are still in the very, very early days of seeing how the > technology will be exploited for financial gain. Look at how bank > robberies changed from the 1800s to today. When cars became > common, crooks moved to them, etc. > > > I think the largest market impact of everyone enabling BIOS and HD > > passwords would be a sharp spike in demand for help desk staff :) > > Oh, yessss! > > Allen > > > ------------------------------ > > Message: 3 > Date: Sun, 03 Jun 2007 23:28:50 -0700 > From: Crispin Cowan <[EMAIL PROTECTED]> > Subject: Re: [FDE] hard disk p/w protection - secure? > To: [email protected] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=windows-1252 > > Allen wrote: > > Crispin Cowan wrote: > > > >> It costs organizations big $$$ when a laptop with sensitive data on it > >> is stolen, but that is because they don't know for sure that it has been > >> fdisk'd. > >> > >> More over, if everyone used BIOS and HD passwords that would .... hmmm, > >> not do much at all: > >> > >> * No effect on the market for stolen laptops, see above. > >> * Nearly no effect on the cost of recovery if sensitive data is on a > >> stolen laptop: it just sets a lower bound on the value of the data > >> you can disregard. If the value of the data is below the $2K it > >> costs to recover the drive, then ignore the incident, otherwise > >> proceed with your press release mea culpa > >> > > Actually there is one market you are forgetting - blackmail. How > > much would megabucks corp pay to keep their name out of the > > papers over embarrassing disclosures? > > > Ok ... I considered that to be part of the stolen data cost. So, given > that BIOS and HD passwords are trivially breakable, one should only > store secrets on them that are worth less than the $2000 (or less) it > would take to break the password protection. How is this market different? > > Crispin > > -- > Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ > Director of Software Engineering http://novell.com > AppArmor Chat: irc.oftc.net/#apparmor > > > > ------------------------------ > > _______________________________________________ > FDE mailing list > [email protected] > http://www.xml-dev.com/mailman/listinfo/fde > > > End of FDE Digest, Vol 9, Issue 4 > ********************************* > _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
