Securing a portable machine

[Phil]

I am musing what might be sensible to do to protect a portable machine. My thoughts so far are:

Firewall on

DNS nameserver to opendns or googledns

Sensible passwords

Encrypt any sensitive info and perhaps home directory (truecrypt?)

Set up a decoy user account with perhaps auto login, make it confusing, disable as much functionality.
(Idea being someone stealing the machine will try to use it, prey will then nab them)

Install prey, the theft tracking software (I have it running and tested it. Got a mugshot of the perp. It works)

Bios password protect, disable boot options

[horusfalcon]

Wow... necro-posting because this is the first I've seen of this thread, and you might still be looking for help.

You are very practical to consider the things you have.

Firewall:  YES  (Not that it provides more than a first line of defense, but ya gotta start somewhere.)  Close off any ports you don't actually use, and only open them at need.

DNS to open server:  This is more a matter of portability than security.  If you hop connections a lot, yeah, doing this will help make everything just work.

Sensible passwords:  Define "sensible".  Use strong, difficult-to-guess passwords.  There's a good discussion on password entropy in the form of an amusing webcomic here.  (Yes, I loves me some XKCD...)

TrueCrypt:  Oh, Heck Yes!  Properly configured, this stuff baffles even the FBI (but I wouldn't bet against the NSA...)  Read the docs, configure it to meet your needs, and you'll be good to go.

Decoy user account?  Nah... that's called security through misdirection/obfuscation.  It might keep out the curious and the kooky, but a determined data thief will blow right by that stuff.  Remember that user accounts take up space and other resources.

BIOS Passwords, though, can be more trouble than they are worth unless you're dealing with truly sensitive and valuable data.  If you set a BIOS password, test it and then put it on an index card in a safe somewhere.  You don't want to have to deal with trying to bypass a BIOS password on certain machines.  (Some are a lot easier than others, but there are a few notable ones for which BIOS password being lost means a trip back to the manufacturer and proving you own the machine.)

Your best protection measure will be to keep the machine out of sight behind a lockable compartment when not in use.  Once an attacker has physical access, nothing short of TrueCrypt will keep them from obtaining your data. 

Consider a lockable hard-shell case (e.g., Zero Case, SKB, or Pelican, just to name a few).  They tend to be expensive, but will prove worth it first time someone drops it trying to "help you out".

Good to see someone else thinking about security - NASA lost another laptop last month so we're finally getting Data-At-Rest protection at work on all laptops.  (I just wish they hadn't gone with Symantec...{grumble, grumble - proprietary crap}.)

Here's hoping you never need all that security.

Later ON,
D

[Phil]

Hi hf,

I am on the road now with the diminuative Aspire D270. Used it in airports, on the plane, and using hotel wi-fi. Got most of my dvds and cds on the machine so it is a portable entertainment system. Also took along some very small speakers.

Issues:

I have to instruct a connection to opendns for any new wifi connection. resolve.conf may be wiped for every connection. Not a biggy.

Decoy account in use as I type. Started automatically and encourages use of machine so I get prey info. Prey tested and got good pics of the decrepit  test perp.....

Hotel wifi is a pain.

The machine is very portable and has good storage, so trumps a tablet. I like a reasonable keyboard. lasts about 6 hours on battery so does the job.

To be done ssh tunnel to something like a raspberry pi, so I can get a secure and trusted link. Then vnc with lxde desktop. Tested this at home so potentially works. Care on passwords and rsa certs if used, need to secure certs with say truecrypt.

Also going through airports is a pain and in certain parts of the world difficult. I avoid that part of the world now.

My desktop looks like W7 from a cursory glance. Just a typical machine....

PS There is zulucrypt in the repo which is similar to tc but easier to use. Not as well known so not as obvious to outside eyes.

[YouCanToo]

Hi hf,

I am on the road now with the diminuative Aspire D270. Used it in airports, on the plane, and using hotel wi-fi. Got most of my dvds and cds on the machine so it is a portable entertainment system. Also took along some very small speakers.

Issues:

I have to instruct a connection to opendns for any new wifi connection. resolve.conf may be wiped for every connection. Not a biggy.

If you are using wireless instead of ethernet then use the script ifcfg-wlan0 instead.
Add your dns numbers to your /etc/sysconfig/network-scripts/ifcfg-eth0 script like this.

DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.1.25
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=yes
DNS1=208.67.222.222
DNS2=208.67.220.220
RESOLV_MODS=no
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=yes

Save your file. Next time you boot you will have the same DNS numbers, each and every time.

Decoy account in use as I type. Started automatically and encourages use of machine so I get prey info. Prey tested and got good pics of the decrepit  test perp.....

Hotel wifi is a pain.

The machine is very portable and has good storage, so trumps a tablet. I like a reasonable keyboard. lasts about 6 hours on battery so does the job.

To be done ssh tunnel to something like a raspberry pi, so I can get a secure and trusted link. Then vnc with lxde desktop. Tested this at home so potentially works. Care on passwords and rsa certs if used, need to secure certs with say truecrypt.

Also going through airports is a pain and in certain parts of the world difficult. I avoid that part of the world now.

My desktop looks like W7 from a cursory glance. Just a typical machine....

PS There is zulucrypt in the repo which is similar to tc but easier to use. Not as well known so not as obvious to outside eyes.

[horusfalcon]

Thanks for the DNS tip, YouCanToo!  That's good stuff!

Hey, Phil,

If the dummy account is something Prey wants you to set up, sure, why not?  I have no experience with Prey so can't really recommend it or not.

Hotel wifi can be a bummer sometimes, but check in at the desk and see if they have any special instructions - may make things simpler?  The alternatives (phone tether, 4G portable hotspot) are usually less friendly or much more expensive.  Some of the hotels I've been to in the last few years have had Ethernet ports in their rooms. 

It sounds like you do a lot of traveling.  Be careful out there...

Later On,
D

[muungwana]

Encrypt any sensitive info and perhaps home directory (truecrypt?)

Encrypting a partition in pclinuxos is very simple.Just create a partition in PCC and tick the "encrypt partition" check box.

The partition will be encrypted using cryptsetup,a front end to dmcrypt which an infrastructure in the linux kernel that deal with block device encryption.

[YouCanToo]

Thanks for the DNS tip, YouCanToo!  That's good stuff!

Hey, Phil,

If the dummy account is something Prey wants you to set up, sure, why not?  I have no experience with Prey so can't really recommend it or not.

Hotel wifi can be a bummer sometimes, but check in at the desk and see if they have any special instructions - may make things simpler?  The alternatives (phone tether, 4G portable hotspot) are usually less friendly or much more expensive.  Some of the hotels I've been to in the last few years have had Ethernet ports in their rooms. 

It sounds like you do a lot of traveling.  Be careful out there...

Later On,
D

On our knowledge base is a small article I wrote about changing it.  http://www.pclinuxoshelp.com/index.php/DNS,_Changing_your