Hacker News new | past | comments | ask | show | jobs | submit login
Laptop security: Apple vs. [Insert name here]
69 points by huydotnet on March 13, 2017 | hide | past | favorite | 51 comments
OK let me tell you my story:

My Mac was stolen, and I used Find My Phone to lock it immediately. A week later, the thief opened the device, and sure he can't access it.

After two weeks, I lost my hope, sure I won't be able to get it back, so I decided to activate the Eraser.

Just an hour ago, I received the notification that the device erasing process has started.

I lost my device and all my data but not my privacy. And I found on Apple support forums that the device will remain locked as long as it still listed in my Find My Phone.

Now I'm planning to buy an x220 and get back to Linux. I was wondering how can I secure a Linux laptop and make it (somehow) harder for the thief to access my stolen device just like Apple did.

Do you have any experience with this? Do you mind to share?




Long time Ubuntu user here.

The solution to your problem is data encryption. On Linux, there are different levels of data encryption, whether you want to encrypt the whole hard drive or only the /home partition (where all of your private files will be stored).

The ArchLinux Wiki has a very detailed page [1] about all the available options for disk encryption.

Regarding Ubuntu, when you install it on your system, it will ask if you want to encrypt your /home partition [2] or your whole disk [3].

I got my laptop stolen in France last summer, and as much as this was a pain in the ass, at least I didn't have to wonder if the thief had access to my private data (photos, documents and the like) since the /home partition was encrypted. Hell, the thief probably had a WTF moment when (1) he discovered it was not a French version of Windows but an English version of Ubuntu running and (2) when he discovered it was a Taiwanese laptop with this keyboard layout [4]. Good luck to sell that on the French black market :)

[1] https://wiki.archlinux.org/index.php/Disk_encryption

[2] https://www.howtogeek.com/wp-content/uploads/2012/06/ximage8...

[3] http://www.tecmint.com/wp-content/uploads/2016/02/Ubuntu-16....

[4] https://c1.staticflickr.com/8/7501/16104079539_00c39c200d_b....


Sorry for your experience.

One standard approach is to set up full disk encryption. A common setup would encrypt every partitions but your /boot partition, so a thief would be unable to access your system if it were powered off. (If you're especially cautious, you can do tricks to protect your /boot partition too, to guard against tampering, but that's beyond the scope of protecting against theft.)

The catch is if the thief steals your powered-on laptop, the system's still decrypted (meaning, the decryption key is still in memory). I'd guess locking your machine is a partial guard (and is what I rely on), but I'd be interested in learning if there's a better method of protection.

ArchWiki has a pretty good overview: https://wiki.archlinux.org/index.php/Disk_encryption. I'm happy to try and answer any questions you have.


A few questions:

1) > The catch is if the thief steals your powered-on laptop, the system's still decrypted

I think the key distinction is if a laptop's storage is encrypted if it's in some sort of sleep or lock mode. AFAICT most people's laptops are rarely completely off; they either are fully on, asleep, or sometimes locked.

Solutions that secure data only when the laptop is fully off seem almost useless to me; in practice the data rarely is encrypted. Do you know of solutions that address this issue?

2) What about Self Encrypting Drives (SEDs), which encrypt at the hardware level usually by using the industry standard (AFAICT) Opal?

https://www.trustedcomputinggroup.org/storage-work-group-sto...

3) File-level encryption, rather than volume level, would seem to solve the problems in #1. Files are decrypted only when they actually are in use; otherwise they are secured. Therefore on most systems, most data files are secured most of the time. The problem is how to efficiently enter credentials for every file, or every batch of files, the user opens: Type a password every time? What about databases or email (e.g., stored 1 file/msg such as in maildir)? Keep the key on a USB drive that must be inserted and, only when first inserted, authenticated with a password?

Do you know of file-level solutions?

4) The problem with every solution is implementation. Security is very hard to implement, and requires high quality execution to avoid exploits. How do I know that the vendor did it correctly?


I glossed over it a bit in my first post, but the data on the drive is actually always encrypted. The system decrypts the data on the fly as it's read into memory, and encrypts when it writes to disk again. This has less of a performance impact than you'd think.

Also, just to be explicit on the user experience: when you boot the machine, one of the first things the kernel does is ask for a decryption password. If you cannot provide that, the system cannot boot further, because everything but the kernel and bootloader (in /boot) is behind the encryption.

1) So as described above, the storage is always secure, regardless of whether the machine is on or not. The rub is that when the machine is in use, the system is actively performing this decryption/encryption. I'm not an expert on the technical side of it (and it probably differs between implementations), but I'd imagine the OS keeps the decryption key in memory. This is functionally an instance of the "it's got to be decrypted sometime" problem, or a variation of the "analog hole" in DRM. At some point, the user will be accessing a decrypted version of the data, and if the attacker is able to take control at that point, he obtains the data.

Let's say I have an encrypted text file (on an unencrypted, regular system setup). To write to or read the file, I need to decrypt it. Maybe a program takes a password and opens a text editing window with the decrypted data. If I care about the security of that data, I'm not going to leave that window open unless I'm actively using it. I understand that if I leave that window open and someone walks by my machine, they'll be able to see the contents, because I left the data in an decrypted state. But I need to have that window open sometime, because I need access to the file myself. It's the same situation with full disk encryption--at some point the data will be decrypted for legitimate use (in FDE's case, only in memory, but still decrypted), and it's up to the user to protect it during those times.

If you lock your machine (using xscreensaver, slock, etc.) and set it to lock when waking from sleep (and whenever else), the attacker must circumvent the lock program before he can access the machine. Ideally this would not be possible (a lock program that lets someone access the system without the password is not a great lock), but there's always the possibility of some vulnerability.

Alternatively, you can always hibernate your machine instead of sleeping it. Hibernate writes the contents of memory to disk and shuts the machine off. When booted back up, the kernel finds the hibernated memory and seamlessly resumes from where you left off. If you set it up properly, the system will write the hibernated memory to an encrypted partition, so the session cannot be resumed without the encryption key. The downside is you have to type the encryption key every time you resume, and my encryption password is a good deal longer than my normal user account password.

In my own practice, if I'm leaving my laptop at a place I'm more worried about theft, I'll hibernate it. In normal use, I'll sleep it and rely on the lock program. Like I said in the earlier post, though, I'd love to hear if anyone has a better approach, or even an analysis of the security of some common lock programs.

2) I have no direct experience with SEDs, but I'm under the impression they decrypt the entire drive when powered on and the password is entered. Or else, they do the same on-the-fly operations I described above. As such, they would be vulnerable to the same attacks as above. Their advantage is transparency to the operating system and better performance. Also see Wikipedia's description of some of their vulnerabilities: https://en.wikipedia.org/wiki/Hardware-based_full_disk_encry...

3) FDE essentially answers the "how to efficiently enter credentials" question with "at the start, when you first mount the partition" ;). Aside from that, file-level encryption solutions definitely exist, and are commonly used. You can encrypt arbitrary files with the openssl command, and many sensitive files (such as SSH keys) have encryption built into their standard usage (SSH key passphrases). Even when running FDE, I keep a passphrase on my SSH keys, because there's nothing stopping a rogue program from grabbing them during normal computer use. I'd encourage any other extremely sensitive files to have their own protection. To quote tptacek, "FDE does basically one thing for you: it reassures you if your laptop is stolen from the back seat of your car or left in a cab." [1]. Other steps need to be taken to run a secure system.

However, I don't know of a file-level encryption solution that functions exactly as you describe. It would be tricky to implement, for the reasons you described, and others. For example, background programs write to the disk too, and sometimes what they write contains sensitive data. Are you going to enter the key periodically for their use too? And will all these programs play nice with the (comparatively) huge blocking times when writing while you type in the key?

4) Of course, that's the question with any security solution. Many of the Linux solutions are open source, so that's at least a plus, but certainly not any guarantee of security. Short of being a security professional capable of auditing the complete source, you have to rely on project reputation, recommendation, and (ideally) someone else's audit. I'm sure lots of people would like a better answer to this question!

Hope that all helps!

[1] https://news.ycombinator.com/item?id=9069669


Much appreciated; thanks.

I'd add one more item to the difficult-to-avoid vulnerabilities, file and file system metadata. Otherwise a simple directory listing, for a user or a background program, requires authentication.

My guess is that vulnerabilities like that, including the user access hole that you describe so well, are the reason that modern OSes (e.g., on phones) isolate most data so that it is accessible only to certain applications, usually the app that created the data, instead of the old model of all applications having access to (almost) all data. Even if for practical reasons the application needs almost unlimited access to the data, at least you can limit the attack surface to only that app and parts of the OS.


Good overview. Someone else in the thread mentioned a disk encryption solution that works with hibernation.

To step back for those who aren't familiar, disk encryption is not at all like Apple's remote locking feature and does not require you to activate it remotely or something like that. It just means that the data on your hard drive is stored encrypted ("scrambled") so that it cannot be read without a password that decrypts it. When you power on the computer, you provide the password, but a thief who doesn't know that password can't decrypt it.

Also there is no need for a remote erasing feature because the encrypted data is as good as erased for someone without the password. (This all assumes you use a secure enough password.)

This is actually more secure than Apple's remote lock in many ways because the remote lock can be avoided by preventing the device from ever accessing the internet or possibly bypassed by removing the hard drive and accessing it using some other computer. (There are protections that prevent this in the iPhone case but I don't know about Mac laptops, don't think so).


I believe it is possible to activate them separately, but Apple also has full-disk encryption, which obviously you should enable if you are concerned about data theft. The remote wipe I think is just for extra peace of mind, but the encryption should really be your first line of defense.


You really should use full disk encryption on all media today. If for no other reason it makes it easy to dispose of disks as you outgrow them, without worrying about erasing personal data.

Windows 10 Pro has bitlocker, Linux has LUKS, FreeBSD have Geli, and OS X has its own system.


I remember reading how Microsoft had weakened Win8 bitlocker security (compared to Win7) [1]. I don't know what is the status/comparison to Win10. If someone has, please reply.

[1] https://www.wilderssecurity.com/threads/has-bitlocker-been-w...


From Wikipedia:

Starting with Windows 8 and Windows Server 2012 Microsoft removed the Elephant Diffuser from the BitLocker scheme for no declared reason.[47] Dan Rosendorf's research shows that removing the Elephant Diffuser had an "undeniably negative impact" on the security of BitLocker encryption against a targeted attack.[48] Microsoft later cited performance concerns, and noncompliance with the Federal Information Processing Standards (FIPS), to justify the diffuser's removal.[49] Starting with Windows 10 version 1511, however, Microsoft added a new FIPS-compliant XTS-AES encryption algorithm to BitLocker.[6]


Why an x220? That's a six-year old device that predates many modern security features. Secure Boot isn't evil, works just fine with Linux, and TPMs are useful, too. But the most important thing to do is encrypt your drive, which you can do with an x220 just as well (just make sure you get one that supports AES-NI, I believe the ones with a Core i3 don't).

In any case, if you're coming from a MacBook, you're going to hate the x220's display. It's atrocious, with terrible colours and brightness. It's also a SATA2 device, so a modern SSD won't be able to reach anywhere near its full performance. Unless your budget is around $200 I wouldn't recommend such an old machine. But if you do go down that route, you might like r/thinkpad on reddit. Plenty of people there who mod these old devices and have advice on modernising them.


Side remark: All the methods exposed here requires you to have a good password. In my case, I am using a Yubikey set with a single long fixed password on it + the normal password I can remember.

So, to login/unlock, I type in my password, plug the Yubikey and press the button. This ensures I have a really strong password.

Because if your password is "1234password", all the provided solutions are of no real use.


The interesting part in Apple's FileVault (plus UEFI password) is a Guest access called Safari Only Mode. This mode starts special macOS distro from unencrypted boot partition and allows to run only Safari.app (also terminal.app) The main idea is that thief log in as Guest, connects to WiFi and you can locate your device in Find My Mac. But this mode just allows you to trace device via IP geolocation since macbook never had GPS module like iphones do, so this geolocation is not accurate enough and not useful. You will just see the city or district located from ISP. The real useful information will be WiFi AP MAC addresses (BSSID) located nearby the stollen macbook. Having this information you can quite accurate locate your stolen device and return it!

But I can't add my custom shell script into Safari Mode because of macOS SIP (system integrity protection) that I don't want to disable. Also every major update overwrites changes on boot partition.

I would appreciate for any help with this project. My goal is to build some kind of computrace for macbooks that will be much useful that current Find My Mac.


>But this mode just allows you to trace device via IP geolocation since macbook never had GPS module like iphones do, so this geolocation is not accurate enough and not useful. You will just see the city or district located from ISP.

That's not quite true. IIRC, even without a GPS module, macOS sends a list of nearby WiFi APs to the geolocation API, which usually allows for a pretty accurate response (the same you'd get on an iOS device indoors without GPS reception)


But I wan't to know the exact list of BSSID/SSID and RSSI of each so I can go to this place and find device by measure signal level of wifi access points.


This is exactly what the API uses to triangulate your position.


Have a look at https://www.preyproject.com/

Open source, cross platform.


This is pretty neat, but do note that the remote wipe feature as described by OP requires a subscription: https://www.preyproject.com/pricing. But I suppose this isn't a huge issue if you're already using full-drive encryption.


Those prices are nuts


Why nuts?


$5/mo for something I may never use. It's not even offering replacement insurance. I get all the music I want for double that (spotify) or all the streaming (netflix).


Set up your Linux laptop's filesystems to use LVM and LUKS encryption, and just encrypt the whole darn thing. Works with hybernation, too. Here's Slackware's simple guide: http://ftp.slackware.com/pub/slackware/slackware-14.1/README...

If you want to be super paranoid, add a keychain usb stick as a required key to decrypt the filesystem so you get 2-factor authentication.


> If you want to be super paranoid, add a keychain usb stick as a required key to decrypt the filesystem so you get 2-factor authentication.

If you do this, make sure to have a backup! Flash drives don't last forever, and are easier to lose than a laptop.


Make sure you get a laptop with a self-encrypting SSD that supports TCG OPal. This will give you maximum speed sector-level encryption. Read this post on my nerd-blog: https://vxlabs.com/2015/02/11/use-the-hardware-based-full-di... (no ads, no referrals, really just info) which explains at a high level how SSD-based encryption works.

The open-source msed tool has now been renamed to sedutil see https://github.com/Drive-Trust-Alliance/sedutil but it still works the same way.

It would still be possible for a sufficiently advanced thief to secure erase the drive (they need to know how to use TCG Opal to do that), but they will never see your data.


My list of SSD models that support built-in encryption, from a few years ago when I was looking into them. Outdated and possibly incomplete, but a reasonable place to start if you're not just going to pick up a Samsung Evo or Evo Pro.

Samsung 840 & 850 drives (EVO and PRO)

Crucial MX100 and MX200, but NOT BX100

Sandisk X300s

Kingston KC300

OCZ ARC 100

OCZ Radeon R7

OCZ Vector 180

PNY CL4111

Intel 520 series (128-bit only? Old model)

Intel 530 series (old)

Intel 535 series

Intel 730 series


Is this necessary for optimal security on a MacBook?


How does built-in disk encryption on OSX compare to 3rd party solutions?


Good question. I've not seen any serious technical analyses of the MacBook. So far only that one must enable an option not to store the keys in memory if one expects to remain secure when the computer isn't powered off.


Choose a disk that supports Full Disk Encrpytion. Lenovo has this - http://www.lenovo.com/support/fde. This way the encryption/decryption is done by the chip inside HDD and there is no OS security issue that can compromise the data or performance hit on the main cpu. Don't forget to set the HDD password in the BIOS. Everytime system boots, it should ask you for the disk password as first step. If it does not ask the password, then you have not set it up right.

On the Linux OS itself, follow good personal security practices - use strong password, use 2FA (see FIDO devices like YubiKey), disable unnecessary services, install software downloaded from trusted, well-reviewed sources only etc. If you did the HDD encryption above, there is no need to do filesystem encryption again in Linux.


> Choose a disk that supports Full Disk Encrpytion ... This way the encryption/decryption is done by the chip inside HDD and there is no OS security issue that can compromise the data or performance hit on the main cpu.

The parent is referring to Self Encrypting Drives (SED), AFAICT. I looked into them a little recently, but I'm not an expert. Consider the following only a starting point:

Beware that not every SED tech is equally secure; some are easily bypassed. The industry standard, and the one I would depend on, is Opal. It usually requires tools in the OS to activate, but I would be surprised if those tools weren't available for major Linux distros.

https://www.trustedcomputinggroup.org/storage-work-group-sto...

Microsoft provides something called eDrive, which AFAICT (I looked at it briefly) integrates Windows Bitlocker with SEDs.

> Lenovo has this

SED tech is a feature of the hdd/ssd, not the computer vendor. The BIOS has to integrate with the SED but I think that is standard, at least in business-class computers (but double-check before you buy!).


The X220 comes with CompuTrace and Intel Anti-Theft, which provide the same features on Windows.

One big feature: They also backdoor any new Windows installations on the same device, so if your hacker wipes or removes your hard disk, his new replacement install will be bricked as well.

As such, step one will be hard disk encryption (as mentioned by others) so thieves can't access your data. Step two, if that's not enough for you, is activating either of the two anti-theft measures to brick the device if the hacker tries to reinstall Windows.


https://github.com/cgarduno1garduno/Macbook-Security/blob/ma...

I found this issue a while back on Macbooks. I'll update my github soon with more details and some images to demonstrate the process. I read this post and I figured I could whip something together and see what people think.


As long as you had FileVault enabled (& good password management), that's basically all you needed.

Without FileVault, you can totally still access the laptop and data. Sadly Macs do not have anywhere near the device protection that iPhones do - even the new ones. But data encryption is what you need.

You can do that same in the installer for Ubuntu Linux. I personally prefer the encrypt home directory option over the full disk option, but there are trade-offs.


> As long as you had FileVault enabled (& good password management), that's basically all you needed.

Does that protect your computer if it's asleep? My guess is most Macbooks are either asleep or on 99% of the time.


> You may wish to enforce hibernation and evict FileVault keys from memory instead of traditional sleep to memory:

  $ sudo pmset -a destroyfvkeyonstandby 1
  $ sudo pmset -a hibernatemode 25
> If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings. Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See issue #124 for more information. These settings can be changed with:

  $ sudo pmset -a powernap 0
  $ sudo pmset -a standby 0
  $ sudo pmset -a standbydelay 0
  $ sudo pmset -a autopoweroff 0
See [1] for more macOS hardening tricks.

[1] https://github.com/drduh/macOS-Security-and-Privacy-Guide#fu...


Apple's own Best Practices doc for FileVault 2 is also useful read for those interested: http://www.training.apple.com/pdf/WP_FileVault2.pdf


Thinkpads have BIOS options for full disk encryption (requires password to decrypt at boot time) and boot password (requires password to boot).


My laptop was stolen last Friday.

I don't need to be concerned about the thief accessing sensitive documents as I setup full disk encryption (dm-crypt & LUKS) with this kind of scenario in mind.

The only negative I can think of is that I cannot make use of tracking software like Prey due to the entire drive being encrypted. A trade-off that I'm happy to live with.


> The only negative I can think of is that I cannot make use of tracking software like Prey due to the entire drive being encrypted. A trade-off that I'm happy to live with.

You could have a separate, minimal OS as a honeypot.


Full Disk Encryption is the answer for you.

A side question (sorry):

So if you ever buy any mac device, will wiping it (reinstall from USB disk) remove it from the Find My Phone system, or does the previous owner (if they set it up) keep the option of locking the device remotely and holding it to ransom?


The seller has to disassociate the device with their account or you have to reset the PRAM. A simple wipe and OS reinstall will not be enough. If you are doing an in-person sale you should insist that the seller login to the machine with you watching, go to the iCloud pref panel and show that Find My Mac is turned off and the system has no associated iCloud account. Since having the device still associated with their account would give you access to their pics et al this is probably a good idea for the seller as well.


I remember seeing apps that silently take photos with the webcam and upload them to a location only you can access, every time someone opens the laptop's lid and at regular intervals. May even be trivial to write such an app.


If remote wipe is not possible in Linux, Maybe we also need the feature to automatically "destroy all data" when the laptop hadnt been logged in for too long.


What could possibly go wrong?


Can't comment on Linux - but curious if the location was discovered as well if the erase process had started? And if so, did you report it to the police?


The erase process started, but the location was not found. Actually, I didn't activate location access on that device, sadly, I didn't think it could be stolen :( And yes, I did report to police when I lost it, but without the location tracking, it's hopeless.


Something similar happened to me with an old location-enabled iPad. The iPad was showing up in a different country, and I was flummoxed on how to proceed as I didn't feel my local police department was going to follow-up with separate country.


True. In my case, I think the thief already sell it to another guy. Poor him, he got a locked Mac right now.


Intel's management engine can do this sort of thing (at a level below the bios), but I think it can only be activated as part of enterprise tools.


There was once this thing called anti-theft or computrace... I remember having a sticker on my Vaio about that.

What was it? Was it any useful?


Is there a way to encrypt the hdd, an option like mac on "find my phone", remote erase on windows 10 on dell.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: