Steve I am assumming this is the same computer that you need to boot to a USB drive? Taking that and the security issues a new laptop would solve both of those issues. As wanderer implied, all new laptops have pretty tight security. Encrypting files has it's own set of issues. Under certain situations you may not be able to recover encrypted files.

0

Thank you for reply. While a new laptop might be nice, again given the present one's stability, the hassles of dealing with bloatware and new regiments, I don't see it as necessary when considering the machine's still physically reliable and there will always be a need for newer security features. Also, I believe many users are resolved to simply backing up their data, trusting that should the system be compromised, it can just be formatted and re-installed. Plus again, many aren't buying in on the assumption that newer is better, especially since we can just surf safe and set the machine up to preclude access by unauthorized privilaged accounts and/or to provide for the uncertainty that a keylogger can be on the system. Regards and hap-e-trails, Steve Hopper

0

You respond to everyone, except me? I'm sad now. :(

0

Thanks for the reply. Somehow I missed it until now. So Windows system restore does/does not function on an encrypted system, regardless of whether or not the user first turns off the encryption just prior to using SR? As mentioned, I understand that booting from a disk or preferably zip drive, should assure keyloggers are disabled, but I can't conceive their data as being of any use even if it gets off the system (ie; it's encrypted right?). Besides with either a good external firewall, router, and/or proxy set up, I can't imagine even a keylogger already in-place, being able to do much more than disable or muck up the system, right? Ergo, the cat would be out of the bag and formatting called for. As for EHD's, PGP Desktop Corporate toutes a feature (much as you mention for TrueCrypt) which I assume either prog's can be turned on and off, so as to (if someone desires) to not encrypt and use an EHD on the system? Again, anyone have any input on media useage on encrypted OS's (does the encryption pose issues playing back media)? Regards and hap-e-trails, Steve Hopper

0

So Windows system restore does/does not function on an encrypted system, regardless of whether or not the user first turns off the encryption just prior to using SR? With full drive encryption, Windows needs special drivers to handle reading the encrypted drive. With SR, you run the risk of rolling back to the point before you installed those drivers. That will result in Windows' death. Otherwise, there is no difference. As mentioned, I understand that booting from a disk or preferably zip drive, should assure keyloggers are disabled, but I can't conceive their data as being of any use even if it gets off the system (ie; it's encrypted right?). The file itself will be encrypted, yes, but the logger itself will be able to read, and send, the data in an unencrypted state. Also, I'm not sure where this notion of keyloggers being rendered moot by external boot devices comes from, but it's incorrect. Ergo, the cat would be out of the bag and formatting called for. Yeah, that's the jest of it. As for EHD's, PGP Desktop Corporate toutes a feature (much as you mention for TrueCrypt) which I assume either prog's can be turned on and off, so as to (if someone desires) to not encrypt and use an EHD on the system? I don't think TrueCrypt works by volumes (or files pretending to be volumes), not files. That means there's no way to turn encryption "off," except for decrypting the drive. However, just because one volume is encrypted, doesn't mean they all are, and the system knows the difference. tl;dr: If you encrypt your HDD, it doesn't mean you'll automatically encrypt Zip drives or CD's.

0

You misunderstand the issue. You don't encrypt an OS. You can encrypt a filesystem (or folder/virtual filesystem) to a point. You can't encrypt an OS as such. Many linux distros offer a way to use an encrypted file system. They have to leave enough of the OS outside of the filesystem to allow the computer to boot enough to know how to handle an encrypted filesystem. MS offers a way on it's systems to encrypt parts of the filesystem with a very secure scheme. As others have pointed out there are limits that could allow a hacker with access to the system to bypass almost all security. Any local access can bypass all controls. There are similar products that protect laptops as stated above that are very difficult if not impossible to crack from the outside. You are better off with maybe a live knoppix cd and don't do things that one would need such controls. "Best Practices", Event viewer, host file, perfmon, are in my top 10

0

Actually, jefro, TrueCrypt can encrypt almost the entire OS partition. The only thing left unencrypted? The boot loader.

0

My only point was really the way the term encrypted OS keep popping up. You can't encrypt as such an OS. You encrypt a filesystem or some smaller part of. Different schemes on the lock scheme produce different results in operation. How is a partition different than a filesystem/ virtual filesystem? A partition is nothing to an OS without a filesystem formatted to it, unless you use it raw. It is rare that one would use a partition as a raw device. I still prefer live CD's. With few exceptions your work and almost all traces will be removed with the power. Little kids can use them and no password is needed. Just can't store data unless you secure it. It is hacker resistant too. NOTHING is secure, that is why we have patches. BSD is claimed to be the most secure but that is only the OS and no other packages, even simple ones like telnet or ftp. As stated by others, security is a group of processes. All can be overcome by some method. If you ever worked on crypto gear or top level security you'd know the limits of any security scheme. One normally only limits the time a secret is a secret. "Best Practices", Event viewer, host file, perfmon, are in my top 10

0

Thanks for replies. I think my questions are answered. Forgive any reiteration and a bit of blogness, but to be sure we're all of the same opinions... If I understand what I think we're all saying, PGP's software likely includes the Windows drivers supporting Windows SR' (a good thing to know before installing). And it seems logical that one shouldn't try restoring to a point before the encryption software was installed unless first running the uninstaller for 'PGP' and that's assuming it's capable of such un-doing, and lastly, unless the un-encrypted system ended up bunky, there'd likely be no need to run SR. As for..."the logger itself will be able to read, and send, the data in an unencrypted state"..this suprizes me in as much as I thought a fully encrypted system, good firewall and AV program should be detecting all out-going traffic, and what with firewall rules designating only known and so trusted processes, I sure thought loggers can be crippled by such a set up. Again, unless I read things wrong, the consensus seems to be that even if booting from zip drive (or CD), plus logging on w/o a keyboard (scripted password entering), still a logger can access the pwd and ergo, the os? Then lastly of potential concern is that if a system's been hacked, what to do about re-gaining a secure system? It seems the biggest threat to an OS is the OEM platform having provided the perfect nesting place for spyware, the system restore directories. By that I mean, if I understand things right, the OEM's protected partition or directories have to be hacked to format/clean them, right? And then the user must re-build the system using an XP disk and until running something like open source AV, or at least running one of the most trustworthy AV's (like eEye), then anything already having gotten in the back way, can't be purged. That then leaves the just the ActiveX backdoors, but assumedly that risk is mitigated by installing only known trustworthy app's (after checking the installer file's integrity). If so, I'm assuming that a prudent user's only option is to format the OEM's aspects of the the OS, only then I believe a fresh install using an XP disk, installing patches while carefully installing the OEM software (those needing installed both ahead and behind certain MS patches), then incorporating security hard and software using an external firewall and router, plus proxy), running on-line w/o privileges, always booting off of a CD-ROM (or zip drive) and thereafter inspecting the hard drive for malicious tampering, are all the likeliest means of avoiding a compromised OS, no? As for CD's, nearly everyone I talk to is set on their use as opposed to a zip drive which's far more durable/reliable and portable. Am I missing something that makes a CD better to use for booting, etc.? Regards and hap-e-trails, Steve Hopper

0

Where did you get the idea that Zip drives are more reliable. Zip drives are nothing more than oversize floppy drives. Both contain fragile magnetic media. Optical drives store data via pits in a metal surface and ard not vulnerable to a magnetic field. Optical media should last much longer too. The other issue with Zip drives is the lack of user based drives to actually read the media.

0

Thank you for replying. Apparently that's my misnomer. I thought I'd read that booting from USB pen drives via a so configured BIOS's 'boot from zip drive' afforded my intent. As such, it seems I got the idea that in general, all USB pen drives, memory sticks, etc., might be referable as a zip drive. So I meant to say I'm finding it curious that most who boot from external sources, prefer doing so with CD's (as opposed to a properly formatted USB pen drive or Sony memory stick). As for 'formatted' pen drives, I assuming that as I've succeeded in creating a virtual exact copy of my OS's OEM Recovery Disk (CD-ROM), in that I believe both the CD-ROM and now the pen drive are detected as a CD-ROM format. As such, assuming that should someday the system fail to boot, either the default prompts for loading drivers will customarily offer the use of browseable boot 'disk' sources (USB as opposed to an opticle drive), I'm hopeful that the pen drive's boot files would be accessible. If the default system doesn't afford navigating to the boot source, then it seems that before such an event is encountered, I'd otherwise be left to manually reconfiguring the BIOS to boot from a USB port, but I've yet to find anyone familiar enough with the Phoenix BIOS so that they can help me configure it that way (assuming that's possible and assuming the pen drive's file were properly installed on the pen drive. I'd be willing to test it out, assuming it is safe to do so, as long as I'd not be risking locking myself out of the system if the attempt failed (maybe none or only some of the needed drivers loaded, etc.). I say that as the original optical drive (as still the BIOS is set for using) has been removed form the laptop, and I find the BIOS options don't seem to list booting from a zip drive or USB port. But I'm just not familiar with the Windows systems default emergency boot schemes, as do or don't they usually afford detection of a USB optical drive (other than what the BIOS is set up for, or would it recognize the device was missing and prompt for navigaing to the USB optcal drive? If tto risky, then it seems I need to figure a way to re-configure the Phoenix BIOS to boot from a USB port (optical drive or pen drive). So if it's possible to have properly transfered the OEM's Recovery Disk (CD-ROM), such that it's auto start recovery files actually load via that pen drive, that would certainly be something I'd need doing before encrypting the OS, because right now, as far as I know, I'm w/o any means to emergency boot. Again, kudos for all hanging in here with the extended and now a bit off topic post. Regards and hap-e-trails, Steve Hopper

0

Steve, I think you are thinking so far out of the box that you seem to be missing the big picture. Electronic equipment--with emphasis on computers--theft is a crime of opportunity: Removing the opportunity variable takes away the incentive to virtually all but random perpetrators...this is why the notebook & very soon UMPCs are "hot" items. Now, to the owner of the equipment, the impact of the machine loss varies. In most cases, it is a material loss, in others it is more about the inconvenience burden. In the most serious situation, it is everything about the data on the machine & the possibility of it getting in the wrong hands. Depending on what your real objectives are & where you fall in the categories from above & how far you are willing to spend/go to recover the equipment or if at all should determine what type of security to deploy on your machine. My guess is ... you won't need an over-the-top encryption. There is an abundance of encryption tools out there some even free that may be sufficient enough for you. But one thing that's been real effective with laptops is the HDD Password Scheme, it has turned a lot of stolen notebooks into boat anchors, not just for the original thief but also the potential buyer(s) looking for a steal .... pun unintended! Jabbering Idiots: Everywhere You Look!

0

I totally agree with Sabertooth. That is why I suggested upgrading. I skimmed back over this thread and apoligize if I missed someone's comment related to what I am about to state. Steve, the only sure way to keep sensitive data out of the wrong hands is to not put it on the computer to start. I puchase goods online frequently. I never allow a site to save my credit card information. I also don't have that info, my SS#, bank acount #s, etc. on my computer. The simple fact is that data is vulnerable if present. Those practices don't totally shield me but they do reduce the chance of loss. If your computing habits include any or all of the above I suggest you rethink how you use your computer.

0

Thanks for replies. I don't keep sensitive stuff on the system anyway, but as the VAIO's still got some 2 yrs reliable use left in it, I'll only get something new then. But again I have to say, what w/what I'd read, I'm surprized the consensus is that a keylogger can't be 'crippled' by means I've been led to believe do. Of note, I just picked up a new Corsair 16GB flash driver (Voyager) which seems to have stealthly installed an unlisted and undisclosed 'usb hotfix'. hotfixq0306270.exe running in my task mgr, listed in add-remove progs (w/o an uninstaller) and also sat in my system32 folder. Fortunately I stumbled across the means to uninstall it before booting with it on the system. I simply used my old (4GB) Corsair's InstallShield to run their USB driver install. It's running prompted the need to uninstall all older files, then the customary notice of the need to re-boot. Without yet re-booting, all the 'hotfix' files are no longer evidenced. But until it's broke, I'll not fix it' and besides, it really gets me when stuff's installed w/o notice and moreover no uninstaller, nor even disclosure of what the thing is. All I could find out was that it is reportedly a USB hotfix supplied by the Chineese and Taiwan, that and a size and MD5 for it. Nothing else! Regards and hap-e-trails, Steve Hopper

0

If you don't keep sensitive stuff on there why are you so worried about getting hacked?

0

We all store data on our systems and at some point we decide what our comfort zone is. That doesn’t mean we deserve what we get for being compromised after we do our best at protecting our valuables and it fails. I think it should have gone w/o saying, but as you’ve asked, sensitive means something that we're unwilling to risk exposure (ie; unmanageable repercussions). Then there's data we accept risking loss or exposure based on the degree of likelihood it can be so compromised (ie; loss, etc., is manageable to the degree the user is comfortable in dealing with). I’m sure the wise user is intelligent enough to store sensitive data on more safely securable devices (ie; other than a machine, removable devices like disks and drives, but the data has to pass through a machine first. Obviously if we’re talking State secrets or whatever, the machine never sees an internet and it is secured at all times and it might need absolutely nothing more for security, but your question seems to be trying to drive home the aspects of eliminating the need for security, so where is it you draw the line in determining what's needed on a system and what's valued enough to protect? At some point, I think you'll agree that a machine deserves, needs and requires protection and most do the best we can with what we have. I just hope that nobody see's that as asking for it. Regards and hap-e-trails, Steve Hopper

0

Listen, the point of encrypting your data is to reduce the chance of someone exploiting your data without your consent. The point of encrypting your OS is to reduce the chance of someone loading said OS without your consent. Neither have anything to do with typical, Internet biased hacks. They have everything to do with people who have physical access to your computer.

0

Thanks for replies. Perhaps I should've tagged my last response to Sabertooth, ref his last reply which seemed to indicate concern as to why t was I was posting the subject and/or why one encrypts. Razor 2.3 Appreciate the response. First read, I thought you might've been thought I had some misconception about the why one encrypts, but after thinking more about what you related, I have to believe your simply agreeing with my response to Sabertooth. If on the other hand you've detected something I've said that seems in need of correction with regards to my understandng as to why we encrypt, I'm not sure what you're referring to. Regards and hap-e-trails, Steve Hopper

0