Laptop/media security

[uksnowy]

Like many of you, I use a hi spec laptop as my composition computer. I have been thinking lately about security, as in if the machine gets stolen I dont want the thieves to have access to my productions. I have backups of productions and samples etc, that is not my fear. It is simply someone getting hold of my work in progress. The laptop can be replaced.

I have been looking at using something like Rohos disk encryption which renders the disk useless without a USB key. I suspect that this will come with process overhead.
https://www.rohos.com/products/rohos-disk-encryption/

Does anyone else have a good way to render a computer useless without a key? What options are there?

[karbomusic]

If Windows, Bitlocker comes with the OS and no one is dycrypting your data unless they have your credentials. I believe the machine needs a TPM chip though which it should if recent enough?

[serr]

If it's a high spec Mac, the stock disk encryption will make your hard drive a paperweight to anyone else in the world. Not even Apple can decrypt it without your password.

The con is you sacrifice performance a decent amount running with an encrypted drive as you might expect. Depending on what you're doing, you might have enough machine to never notice that. So don't dismiss it immediately.

Then there's the firmware password. This one is serious! If you forget it, your logic board is effectively bricked! It's programmed into an actual chip on the logic board. Not even the chip maker can recover it. Careful with this one! It's not kidding! You'd have to buy a replacement efi chip pre-programmed on ebay and rework the logic board. The OSX password in contrast is like a "children's password". Boot into recovery mode and change it as you please.

Note that the firmware password is required to boot into recovery mode, the system picker, and other startup options if set.


Only do this if there's a true risk of someone going after your physical stuff.
The firmware lock makes the machine a paperweight. The logic board anyway, and that's the expensive bit. The encryption would prevent data theft. Unless your music is known, no one is going to look on your hard drive for anything if they steal your machine. They'll just wipe the drive and clean install the OS like it's just another Tuesday.

[Fex]

Quote:

Originally Posted by uksnowy

I dont want the thieves to have access to my productions.

Unless you're in the Rolling Stones or something, thieves aren't even going to look at your Reaper projects.

They're going to:

# Search for porn;
# Maybe attempt to wipe everything but the OS;
# Sell the laptop to Freddy the Fence;
# Buy heroin.

That is all.

If you're concerned, buy a large encyclopedia and cut a hole in the pages to hide your laptop in. Books are like kryptonite to thieves.

[serr]

Quote:

Originally Posted by Fex

Unless you're in the Rolling Stones or something, thieves aren't even going to look at your Reaper projects.

They're going to:

# Search for porn;
# Maybe attempt to wipe everything but the OS;
# Sell the laptop to Freddy the Fence;
# Buy heroin.

That is all.

If you're concerned, buy a large encyclopedia and cut a hole in the pages to hide your laptop in. Books are like kryptonite to thieves.

Not even.
Boot it in target disk mode.
Format.
Install OS.
Sell.


You would in fact need to be in the Rolling Stones or bigger too! U2, for example, would just get a complaint if someone found their music on your hard drive.

[Fex]

Quote:

Originally Posted by serr

Boot it in target disk mode.

That's already beyond the ability of most thieves that I know. Some would struggle to spell "porn."

Quote:

Originally Posted by serr

U2, for example

Interesting example - someone did, in fact, steal some of their data:

https://www.theguardian.com/uk/2004/.../arts.netmusic

[serr]

Quote:

Originally Posted by Fex

That's already beyond the ability of most thieves that I know. Some would struggle to spell "porn."

Look for porn on someone else's computer where you don't know what their sexual identity is?! Ew! There are things that can't be unseen you know.

Quote:

Originally Posted by Fex

Interesting example - someone did, in fact, steal some of their data:

https://www.theguardian.com/uk/2004/.../arts.netmusic

No. They had iTunes give their new album away to everyone with an account a while back. Everyone complained.


Yeah, encryption or OS passwords or "find my _____" services rely on the thief having literally no computer knowledge whatsoever. The firmware password actually has teeth. But it's a deadman's switch. "If I can't have it, either can anyone else!"

Encryption will protect your data though. But only your data. Firmware password is a deadman's switch for the hardware but will not protect your data. Except on the post-Jobs Macbooks with the hard drive soldered into the logic board. Those are indeed locked down. They're so secure that even if something goes wrong with the logic board (as they tend to do after the Jobs era), you won't get any data recovered even if you have all the passwords!

[Fex]

Quote:

Originally Posted by serr

No. They had iTunes give their new album away to everyone with an account a while back.

I know. Outrageous. Different incident entirely.

I mentioned the theft of their music data just because, y'know, it's a thread about music data theft, and you mentioned U2.

[serr]

Quote:

Originally Posted by Fex

I know. Outrageous. Different incident entirely.

I mentioned the theft of their music data just because, y'know, it's a thread about music data theft, and you mentioned U2.

People are funny aren't they!
Someone will go to great length to pirate something. They might even spend time fussing over finding a HD version. Can't just settle for an mp3, right? And fans will just stalk a band looking for a work in progress to leak. Then a big name band comes along and surprise gives away their new album and everyone complains! Dumb people were treating it like they got "hacked" if I recall.
(Does everyone just know that "hacked" written with quotes means "left facebook logged in"?)

[Fex]

Quote:

Originally Posted by serr

(Does everyone just know that "hacked" written with quotes means "left facebook logged in"?)

Whereas "hacked" written without quotes normally means "all my passwords are 12345, and I'm ok with that."

[uksnowy]

Quote:

Originally Posted by Fex

Unless you're in the Rolling Stones or something, thieves aren't even going to look at your Reaper projects.

They're going to:

# Search for porn;
# Maybe attempt to wipe everything but the OS;
# Sell the laptop to Freddy the Fence;
# Buy heroin.

That is all.

If you're concerned, buy a large encyclopedia and cut a hole in the pages to hide your laptop in. Books are like kryptonite to thieves.

Brilliant advice.. LOL.

[uksnowy]

Quote:

Originally Posted by karbomusic

If Windows, Bitlocker comes with the OS and no one is dycrypting your data unless they have your credentials. I believe the machine needs a TPM chip though which it should if recent enough?

Does that run without overhead? Constantly encrypting/decrypting.

[uksnowy]

Quote:

Originally Posted by serr

If it's a high spec Mac, the stock disk encryption will make your hard drive a paperweight to anyone else in the world. Not even Apple can decrypt it without your password.

The con is you sacrifice performance a decent amount running with an encrypted drive as you might expect. Depending on what you're doing, you might have enough machine to never notice that. So don't dismiss it immediately.

Then there's the firmware password. This one is serious! If you forget it, your logic board is effectively bricked! It's programmed into an actual chip on the logic board. Not even the chip maker can recover it. Careful with this one! It's not kidding! You'd have to buy a replacement efi chip pre-programmed on ebay and rework the logic board. The OSX password in contrast is like a "children's password". Boot into recovery mode and change it as you please.

Note that the firmware password is required to boot into recovery mode, the system picker, and other startup options if set.


Only do this if there's a true risk of someone going after your physical stuff.
The firmware lock makes the machine a paperweight. The logic board anyway, and that's the expensive bit. The encryption would prevent data theft. Unless your music is known, no one is going to look on your hard drive for anything if they steal your machine. They'll just wipe the drive and clean install the OS like it's just another Tuesday.

Not a mac user. Sorry I should have said. Thanks though.

[karbomusic]

Quote:

Originally Posted by uksnowy

Does that run without overhead? Constantly encrypting/decrypting.

Every type of encryption has a small bit of overhead. I haven't noticed on the one machine I have encrypted though.

[cyrano]

I've been using disk encryption in various forms. I can't notice it and even running a disk performance test shows very little change.

It's not "constantly decrypting and encrypting". It fetches a key when booting. That takes less than a second. Once booted/mounted, it's as fast as your SSD can go.

I wouldn't recommend it for an older Core duo with spinning rust, but every recent machine should be OK, even with audio.

[toleolu]

In my last real job, I worked for the state agency that managed the state owned hospitals here. For HIPPA compliance, we had to install disk encryption on all laptops. I forget what we used, I think it was something from McAfee but don't hold me to that.

Didn't really affect performance that much, granted those laptops weren't hammered like what you find with audio, but then again, those laptops back then weren't as powerful as they are now.

Some type of disk encryption looks like it might be your best bet.

[cyrano]

I keep "critical" data on an encrypted growing image file. If the laptop gets stolen, it's just one big file to the curious thief. No password = no access and no idea what's in it.

It's fine assuming your average thief isn't a computer wizard. But besides thievery, laptops also are lost. Left mine at the McDo counter a few days ago. It was several hours before I realised I seemed to be missing something.

The account login pw is easy to reset. Data is still safe, cause brute-forcing the pw for the image would take ages.

The main reason I do it this way, is because I need to change from one machine to another every once in a while. So I just need to copy the one file...

[uksnowy]

Quote:

Originally Posted by karbomusic

Every type of encryption has a small bit of overhead. I haven't noticed on the one machine I have encrypted though.

Awesome.. thank you.

[uksnowy]

Quote:

Originally Posted by cyrano

I've been using disk encryption in various forms. I can't notice it and even running a disk performance test shows very little change.

It's not "constantly decrypting and encrypting". It fetches a key when booting. That takes less than a second. Once booted/mounted, it's as fast as your SSD can go.

I wouldn't recommend it for an older Core duo with spinning rust, but every recent machine should be OK, even with audio.

This sounds cool. What are you using?

[uksnowy]

Quote:

Originally Posted by cyrano

I keep "critical" data on an encrypted growing image file. If the laptop gets stolen, it's just one big file to the curious thief. No password = no access and no idea what's in it.

It's fine assuming your average thief isn't a computer wizard. But besides thievery, laptops also are lost. Left mine at the McDo counter a few days ago. It was several hours before I realised I seemed to be missing something.

The account login pw is easy to reset. Data is still safe, cause brute-forcing the pw for the image would take ages.

The main reason I do it this way, is because I need to change from one machine to another every once in a while. So I just need to copy the one file...

This also sounds like an option. What application are you using to control it all?

[cyrano]

I'm a Mac user. On a Mac, you simply use Disk utility to create the disk image. That's all. After that, the file behaves like a disk image. It will grow as you add data.

On Windows there are several utilities that allow the same thing. Look for "password protected zip", or something like it.

Here's an old PC World article about it:

https://www.pcworld.com/article/2954...right-way.html

I don't know if this is really up-to-date. There seem to be a lot of zip pw crackers around.

[serr]

I pretty much do the same thing. Any critical/sensitive personal data is kept offline. There's just no reason to decide to keep sensitive data on a network connected machine and then have to make performance vs security decisions.

Disk Utility certainly works for that. I also like Carbon Copy Cloner for making backup clones. I think Windows users like Macrium.

I use Little Snitch for a network monitor. This will obviously alert you if you install some app that likes to call home a lot. Then you can decide if that behavior is acceptable and decide to keep it or not. And of course if you install something that wasn't supposed to be making outside connections at all but... there it goes.

Security should be some cryptic thing relying on some app! Just know what your file system looks like and where things are and use basic common sense. You wouldn't put a big "wallet box" on your front porch with a big fancy looking lock on it. You'd just keep it inside on a table.

Speaking of clones. Keep a couple clones of your system on external drives kicking around so you always have a drive that boots your machine available. If you only keep the one internal system drive and something gets corrupt or fails, you'd have to start installing OS from the installer. (Which you should also keep on hand!)

[panicaftermath]

My laptop is partitioned so that all my work and personal information resides in an encrypted TrueCrypt/VeraCrypt container of 100Gb.

Upon booting into Windows normally, I mount that container as a regular drive, and have access to it just like any other drive, without any decryption overhead.

When dismounted, the container is just a 100Gb file on my d: drive that is useless without a password.

I back up to WD Passports that are also entirely encrypted with TrueCrypt.

I've been doing this since Windows 7, and my laptop is still running Windows 8.1. I have Bit Locker on my Surface Pro with Window 10, but it hasn't yet earned my trust.

TrueCrypt (VeraCrypt is the current descendant fork of TrueCrypt, or something to that effect) has been great. %100 reliable and transparent.

[uksnowy]

This sounds interesting.

[Norte]

Quote:

Originally Posted by panicaftermath

My laptop is partitioned so that all my work and personal information resides in an encrypted TrueCrypt/VeraCrypt container of 100Gb.

Upon booting into Windows normally, I mount that container as a regular drive, and have access to it just like any other drive, without any decryption overhead.

When dismounted, the container is just a 100Gb file on my d: drive that is useless without a password.

I back up to WD Passports that are also entirely encrypted with TrueCrypt.

I've been doing this since Windows 7, and my laptop is still running Windows 8.1. I have Bit Locker on my Surface Pro with Window 10, but it hasn't yet earned my trust.

TrueCrypt (VeraCrypt is the current descendant fork of TrueCrypt, or something to that effect) has been great. %100 reliable and transparent.

It seems to be a good solution. Thanks for sharing!

[Leo777]

Quote:

Originally Posted by toleolu

In my last real job, I worked for the state agency that managed the state owned hospitals here. For HIPPA compliance, we had to install disk encryption on all laptops. I forget what we used, I think it was something from McAfee but don't hold me to that.

Didn't really affect performance that much, granted those laptops weren't hammered like what you find with audio, but then again, those laptops back then weren't as powerful as they are now.

Some type of disk encryption looks like it might be your best bet.

Based on my experience working with state-owned hospitals and ensuring HIPAA compliance through disk encryption, I'd now recommend considering addressing aci learning customer service for comprehensive cybersecurity training. Understanding encryption protocols is important for data security in healthcare settings.

[Frank Lee Scarlett]

I WISH someone would steal my music and make millions of dollars off it!