A secure, but recoverable laptop

Prey Project Logo

Prey helps you track stolen computers, phones and tablets

Traditionally, in performing security audits for clients, I ask them to consider the tradeoff they are willing to make between the security of their data and their devices, and the inconvenience of implementing the security measures in the first place.

This is not an insignificant question. Even simple security measures on computing devices require a level of discipline, training and understanding that some folks are just not willing to put up with. For instance, when we install a password manager like 1Password on client machines, it takes five minutes. Training and education for you and your employees might take hours or days depending on the size of deployment. But if people refuse to use the system and continue to choose “abc123” as their password for every service they use, then we’ve failed.

Fortunately, the software solutions to enable secure and safe computing are getting so good that inconvenience is being minimized. Forward thinking companies are able to empower their employees with the tools to protect themselves online, as well as the data on their devices should they be lost or stolen.

However, ever one to complicate a good thing, and go the extra mile for my clients, when it comes to data on physical devices, I ask them to consider something else to trade off: Recoverability.

Now that our computing devices are connected to the Internet pretty much all the time, there are a variety of software solutions you can install on your computer to assist you and law enforcement to track down lost and stolen devices. For example, I detailed a recent case where the Apple Find my iPhone service was an absolute lifesaver in helping me recover my wife’s lost iPhone.

But what if your device is stolen? Software such as Prey works by using your hardware against the thief. So if a thief is using your laptop for example, Prey operates in the background and uses the webcam to snap a picture, take a screenshot of what the thief is looking at, and uses wifi data to report the laptop’s location. It uploads all of that data to Prey on a regular basis. There are some great stories they publish of happy users who have recovered their stuff.

“Great!” say the clients. “Let’s set that up!”

So here’s the catch: The thief needs to be able to use your computer for Prey to do its thing. So: Do you want a shot at recovering your computer, or would you rather have your computer completely inaccessible to thieves. Remember, there could be sensitive data on your computer that opens you up to identity theft. Depending on the client, we usually recommend data security over recoverability. Back up your data with discipline, kiss your computer goodbye, file an insurance claim and we’ll get you up and running as quickly as we can with a new device.

A client of mine put it succinctly. The instructions he gave about how his devices were to be secured in case of theft were music to my ears: “I want these things to be doorstops. Completely useless.”

However, we’ve recently implemented some options with Apple Macbooks that allow us to secure the devices, while still allowing for the possibility that we can help you recover the computer. This is a Mac specific solution, but the theory can be applied to other machines, and we’re investigating a method to implement on PCs as well. I won’t go into all the nitty gritty details about this here, but here are the basics of the method.

Back up your data:

This should go without saying, but hey, we’re saying it. Did you back up your data? Do it. Now.

Firmware Password:

Your Mac’s firmware is basically equivalent to your PCs BIOS. A tiny bit of software that governs how the computer boots and operates before the Operating System even loads from the hard drive. Apple provides a tool allowing you to set a password on the firmware. For every day use, this actually does nothing. Restart your computer and it will boot as usual. However, if a thief attempted to use a key combination during startup to do something like boot from a DVD or USB drive, he would need to enter your password. A thief might do this in preparation for reinstalling the operating system to prepare your computer for resale. In this case, he would not be able to do that.

Find out more about the Firmware Password Utility at the Apple Knowledge Base. CNet also has some practical tips on how to access the utility if you are having some trouble with your machine.

Decoy Operating System:

We create a small partition on your existing hard drive, and here we install a clean copy of the Mac’s operating system. Using some configuration options, we make this version of the operating system boot and log a default user in automatically. This user is a “non-privileged” user who can’t change configuration options or access certain areas of the operating system. Put some non-sensitive files in this account to make it look like a real account.

This is where we install Prey. We can even set Prey up to automatically report the computer as stolen (Provided it is connected to the Internet) as soon as the computer starts.

There’s a pretty good how-to over at Spider Labs. This is where we got the idea in the first place :-).

Encrypt your “real” Operating System

Your Mac has a built in option for encrypting your entire disk. It’s called FileVault and what it means is that a thief is going to have lot of trouble reading the data on your hard drive without a password or a recovery key that Apple provides you in case you forget your password.

In this particular case, you are not encrypting the “entire” disk, as your “decoy” operating system remains on an unencrypted partition of your disk, but you are encrypting all the data on your “real” operating system, and that should be all that matters.

Apple provides a good review of enabling FileVault in their Knowledge Base. Or try this guide at

The final result:

While all of this takes a bit of time and some careful planning, this is how your Macbook works now:

When you boot your machine, hold down the “Option” key on your keyboard. A screen will come up with a password entry screen. This is the firmware password. Your computer is asking for this because you are using a key to choose which hard drive partition to boot from. Type in the password and choose your original hard drive partition; The one with your “real” or original operating system and information. You’ll then be asked for your user account and password. This should be one of the accounts you chose when encrypting your drive with FileVault. You’ll then have access to the encrypted drive and be able to use the computer normally.

If a thief starts your computer, it will boot into the decoy operating system and automatically log in under the “non-privileged” user you set up. Since your other hard drive partition is encrypted, the user can’t access it. And they cannot change options in the existing operating system very easily, as they don’t have privileges to do so.

Prey will start tracking the computer as soon as it boots, and as soon as it connects to the Internet, it will begin sending reports. Provide these reports to law enforcement and enlist their assistance in getting back your property.

This might all sound a bit complicated and time consuming, but isn’t your data and your gear worth it? All it takes is some planning and forethought. And of course, we’re happy to talk about rolling something like this out to track your gear, but keep your data secure.

Why you activate Find my iPhone

Find iPhone Icon

Apple’s phone locator is built into iOS. But you need to turn it on!

Modern smartphone platforms all have built in GPS, so one of the most potentially useful features of the iPhone and good Android devices is the ability to track the phone if it goes missing. On the iPhone, the capability is built into Apple’s iCloud service. With Android, you’ll need a third party app. Do yourself a favour. Turn on the service on your iPhone. Pay for that 3rd party app and service on Android. Phones go missing. I speak from experience.

Last Friday, a snowstorm hit Toronto and dumped about a foot of snow on the city. My wife had a consulting engagement that involved a day-long facilitation session at a hotel. People had flown in to attend and there was no question of it being cancelled no matter how much snow was falling. My wife hit the streets before 7am to try to find a cab and get to the hotel. She texted me around 7:30 from a cab letting me know she had successfully hailed a cab and that the roads were a nightmare. She then called after 8am from a strange number. She had lost her phone, but would be locked in the facilitation for the whole day.

One of the safety measures we employ on our devices is relatively simple: List an emergency contact and email address on your lock screen. She was letting me know, in case I got a call about the device.

Fortunately, all our devices are tracked using a family Apple account, so I was able to track her phone after she called. The phone was responding (hooray!). That was a big relief, as it meant that it was probably safe. It hadn’t been dropped in the snow, or been run over by a car. It also appeared as if it was stationary. I had to drop the kids at school (in a snowstorm!), but I had a free morning, so I had a chance to play detective.

After getting the kids to school (in a snowstorm!), I tracked the phone. It was still in the same place, reporting its location in downtown Toronto. I drove to the location, parked and visited a few retail establishments and asked if someone had turned in a phone. I phoned the phone in each place I visited. No luck.

The Find my iPhone app allows you to sound a chime on a lost device. It’s actually pretty loud. To this point, I have only used it to recover my iPhone when I lose it in the couch cushions around the house. I was starting to think that the reason the phone was reporting as stationary was that someone had taken it home or to work. I would have to wait and see if they turned the phone on and saw my number on the lockscreen and did the right thing.

As a last resort, I went back outside into the snow. I pulled out my phone and tracked my wife’s phone one more time. It was still reporting. It was still in the same place. I pressed the button to sound the chime and hoped for the best. I closed my eyes and listened. Fortunately, the snow had kept a good deal of traffic off the streets and it was relatively quiet.

I heard the faint, but distinctive sound of the Find my iPhone chime in the distance. I raced around on Queen Street to figure out where it was coming from. I ran across the street and it got louder. It was…. in a good old Canada Post mailbox!!

Luckily for me, I actually found the phone. The sound stopped about 5 seconds after I pinpointed the actual location of the phone. It turns out that despite a full battery, sounding the chime actually crashed the phone. So I got lucky in that I managed to get to the phone before it went silent. I don’t know if this is normal, but it is pretty disconcerting.

Now recovering something from a mailbox isn’t trivial. I’d probably be arrested if I tried to break into it. Customer service at Canada Post isn’t exactly equipped to handle a situation like this. After several explanations to a phone rep, they said the only thing they could do was hope it turned up along side other undelivered mail, at which point, I could file a report and attempt to recover it. Needless to say, this was somewhat frustrating. The phone wasn’t exactly lost anymore. I knew exactly where it was.

As a last resort I went into the Shoppers Drug Mart located there and asked if there was a post office inside. The postal worker there told me they couldn’t open the mailbox, but that a driver would probably be there within an hour or two to empty the box. I decided to wait it out (in a snowstorm!).

Sure enough, within an hour, I spotted a Canada Post truck across the street. The driver was emptying another box, but I managed to get to him before he got back in the truck. I quickly explained the situation to him. It didn’t seem to faze him a bit. He said people threw all kinds of things in mailboxes, treating them like a national “Lost and Found.” He said that mailbox was his next stop and to meet him there.

He asked me to identify the phone before he opened the box. I described it. The phone was dead, but after booting it, I showed him my number on the lockscreen, and he handed it over. Mystery solved and Happy Endings!

The lessons here though:

  • Make sure you have an unique, identifying feature on your phone’s lockscreen. In my wife’s case, There is a simple graphic with my phone number and email address on it.
  • Use the geo-location feature of your phone! Make sure you test it and know how it works. It can be a lifesaver.
  • Talk to people! Despite my dark thoughts about someone taking the phone and keeping it, the truth is most people will be helpful. I am forever in the debt of a Canada Post driver I will call K (in case he didn’t follow some protocol about property found in mailboxes). He was calm. He verified my story, handed over the phone and went on his way.

Digital Literacy for non-technical Employees

Nerd T-ShirtOr as I like to call it – Nerd Night School!

UPDATE: The first workshop we’re running is going to be rescheduled. Sorry for any inconvenience.

We who work in the field of technology are usually thrilled and fascinated by the pace of change. It helps us think and dream about the next big thing. We willingly sign on to learn about the latest technologies and services to help us do our jobs better: The latest programming languages, the latest online marketing techniques, new and exciting devices and gadgets.

In the midst of all this change, we can sometimes forget that others we work and live with aren’t as excited by technology and change. We express our surprise at people who don’t have the latest smartphones, don’t know or care about Instagram or Pinterest, or even have a GMail account. But in their careers and personal lives, the need to immerse themselves in the technology they live with isn’t as important as it is to us.

Beyond this lack of mutual understanding about technology being slightly (and often comically) annoying to us, we at also think it is a huge problem. Regardless of what industry you work in, do you think you and your employees will be doing more or less of their jobs online in the next 2 years? Do you think you will be using the same software? Isn’t technology going to change many aspects of the way you and your employees live and work?

Whether you’re as obsessed and excited by technology as we are, you can’t escape it. And a solid grounding in some technology basics makes people better managers, better employees and better all around people. OK, maybe that last bit is pushing it, but better technology knowledge among non-geeks will at least help everyone understand each other just that much more. And that’s a good thing for you, and your company.

So we decided to do something to address the issue.

The Concept

Nerd Night School is a series of workshops delivering technology learning in a relatively casual environment during off work hours.

The focus here is on practical learning taught by industry professionals. There may be some presentations, but if folks want to get the most out of the sessions, they should be prepared with their laptop and/or smartphone to follow along. By the end of the night, people should learn a few things, but also accomplish something relatively practical that improves their work or personal lives in some tangible way. That practical learning can be fairly diverse, ranging from linux commands to Search Engine Optimization to digital video production.

Who’s doing this?

Nerd Night School is being co-hosted by INcubes, a Toronto startup accelerator and by Several technical experts will be on hand to help participants follow along get through any practical activities.

What’s the first topic going to be?

One that is near and dear to our hearts – A workshop to help you improve your personal digital security, and protect yourself against fraud, identity theft and other digital dangers.

Most of us convince ourselves that the relatively careless way we conduct ourselves online is excusable. Excusable ultimately because we feel there is no possible way we can be targets. We’re just ordinary people. We don’t have tons of money or any state secrets that a hacker would want. Whenever people tell us that, we point them to the story of Mat Honan.

Mat Honan is a journalist for Wired. In 2012 he fell victim to what he describes as an “epic hack.” Hackers targeted him, compromised his Gmail account and his Apple ID. Then they proceeded to delete his Gmail account and remote-wipe the iPhone, iPad and MacBook connected to his Apple ID. They targeted his Gmail account in order to intercept a password reset request for his Twitter account. Once they had his Twitter account, his Gmail and his Apple devices were deleted, partly for fun, and partly to slow him down in his attempts to recover the Twitter account.

Why? Honan was an early Twitter user and had a 3-character handle (@mat). The hackers apparently thought that was cool and thought it would be entertaining and challenging to take over the account and start sending offensive Tweets. You can (and should!) read the whole story at Wired.

Much like a locked door and an alarm is not going to stop a determined thief, if you are targeted by people determined to compromise your digital life (email, social media, online banking), it may just be a matter of time before they succeed. HOWEVER, there are relatively simple, practical measures you can take to encourage more casual hackers to move on to another target.

We are going to detail the dangers, run through some practical suggestions and implement at least one of them in real time with whomever wants to follow along

2-step or 2-factor authentication is one of the best ways to protect online accounts. It combines something you know (a password) with something you physically have (in this case your phone). Even if an intruder has your password, systems that have 2-step sign in processes will challenge you for an additional bit of info that your phone either generates or receives by text or voice.

While you should enable it anywhere it’s offered, your online email is the most important place to start and it’s currently offered by Google and Yahoo and is in the works for Hotmal/ Our goal and mission is to have it up and running before you leave and improve your digital security immensely.