[svlug] sparcstation 5: first steps

Dagmar d'Surreal dagmar at dsurreal.org
Sat Jun 2 18:21:01 PDT 2001

On Fri, 1 Jun 2001, Rick Moen wrote:

> begin Dagmar d'Surreal quotation:
> > The feature is ONLY enabled if you have a boot-up password set on
> > the notebook.  If you need to clone the drive or replace it, it's disabled
> > by merely booting the machine, typing in the password, then entering the
> > BIOS and disabling the password.
> Well, my point concerned the situation after the BIOS password has been
> thus set:  If the password changes spontaneously (which happens), or the
> responsible party(ies) forget the password, or become unreachable (e.g.,
> quitting the firm), then not only is the data lost, but so is the hard 
> drive as a whole.
> So, this is indeed a potentially useful feature, but also a bit of a
> two-edged sword.  Personally, I'd rather have the reassurance of knowing
> that my hard drive will be pretty much unconditionally readable in
> another machine chassis.  But it does have some merit.

Well, this where the magic phrase "proper policies and
procedures" comes into play.  If an employee has done something (like
refusing to surrender the BIOS password on such a piece of a
equipment) which renders it non-functional, then the employee is to be
held accountable for it if the notebook in question is company property.

Forgetting the password is a relatively easy problem to solve, actually,
but we have to use the "escrow" word that no one much cares for.  Just
have the employees tell their immediate supervisor the BIOS password any
time they change it.  If you can't trust your immediate supervisor
(collusion issues could be a consideration going farther up than that)
then your company has serious problems (although they might be insane
amounts of staff-shortages).

...and I've *never* had a BIOS password spontaneously change.  Heh.

> As an aside, I'll note that, somewhere between you and Raffi, the
> subject got fundamentally changed.  Which is OK, but this is no longer
> the point I was addressing earlier, which was (to quote), to point out
> the reasons why "_software-level_ securing of the console is
> (inherently) just about completely ineffective..." (emphasis added).
> With the above topic shift, we're no longer operating at just the
> software level.

Yup.  I agree.  This is why consoles are supposed to be kept in reasonably
secure physical locations.  Raf decided that this must include notebooks
as well, which are workstations by definition, although people wishing to
run a methamphetamine manufacturing operation or just trying to burn money
at an incredible rate *might* choose to make laptop computers their server
platform of choice... ;)
> > There are two massive issues of security with notebook computers which
> > dwarf all the rest.  They are theft for resale of hardware, and theft
> > for resale of data.  
> This and the excellent points that followed were indeed well said.
> But....
> I'll just point out one more wrinkle that might otherwise be neglected:
> Back when I lived in South of Market, S.F. (upstairs from The CoffeeNet), 
> people's car windows were smashed on-street nearly every evening.  I
> quickly figured out why:  I lived right in the middle of the nightclub
> district, and the smash-and-grab hoodlums knew that large numbers of
> unwary suburbanites drove in to go dancing, more often than not leaving
> their valuables in their car cabins.  So, they flocked to SOMA to smash
> windows:  Find _any_ car that looks cluttered inside, smash from the
> sidewalk side (for concealment), dive in, rummage, and emerge 20 seconds
> later.  There doesn't have to actually _be_ anything valuable to warrant
> a smash-and-rummage; it just has to look promising, from the moron-loser's 
> viewpoint shared by the lowlife who do this stuff.
> Over about the six years I lived at 744 Harrison, my car window got
> smashed exactly once -- because I'd foolishly violated my own rules:
> I'd left my car cluttered, parked right near some nighclubs, in a dark
> spot midway between two streetlights, directly in front of a large truck
> that blocked patrol-cars' view from the street.  A broken 12V car-vacuum
> got stolen.  It wasn't valuable; but it was just promising enough to the 
> thief to cost me $120 in car repairs.

Heh.  Your car looks like you might be able to afford something worth
stealing then.  Back in Nashville I used to be able to tote around
computer equipment with relative impunity because my car looked like a
complete piece of crap.  It was heavily dinged up, visible rust spots,
sand scratches in the windows, warped dashboard, etc.  I called it the
"Rattletrap 2000 Security System".  You'd look at it and think "someone is
probably living in that because they can't afford a cardboard box".  
There were a number of nights where car windows would be busted out where
I parked, but never mine. Anyone looking at my car wouldn't expect much
more than a tetanus infection for their troubles, although if someone
wished to die painfully they might have chosen to steal my carefully
sun-dried half-eaten pack of twinkies that adorned the front of the
dashboard.  ;)  In any case, valuables should be kept in the *trunk* or
left at home if you have a car where one can pull down the back seat
easily to get into the trunk.

> > Mind you, the password MUST be set for this feature to do anything, but it
> > does seem to be a good solution to these two major problems facing
> > notebooks and notebook users.
> My point is that the ThinkPad A20's BIOS cleverness unfortunately does
> _not_ solve problem #1 (though it might solve problem #2, if well enough
> implemented).  The thieves who grab laptop bags from the security
> checkpoints in airports will still grab these.  Later, they may hurl
> them in nearby dumpsters or the Bay, and denying them the laptop's value
> will be at least morally satifying, but not otherwise helpful to the
> erstwhile owner.

Notebook theieves who do target them on a regular basis (and we're talking
about places like hotels and conference rooms, too, not just cars and/or
airports) will eventually recognize models that they won't be able to
resell, and so they're less likely to bother stealing them if they
recognize them.  It doesn't make it impossible to steal them, just
unprofitable, and taking the profit out of crime is usually a fairly
effective deterrent.  For instance, do you know many people who have had
their car stereo with detachable faceplate stolen if the faceplate wasn't
in the car?

More information about the svlug mailing list