Netbook security – Still inadequate
I’ve been roundly disappointed by the Xandros Linux build on my 20GB Eee PC 900, but not quite enough to remove it. Ubuntu et al take far too long to boot; Moblin shouldn’t work, given its new Atom requirement; Windows is too bloated and slow to boot, although it would be okay with a conventional HDD & hibernation mode; OpenSolaris is only barely supported; Android’s still rather ugly and limited. None of the options are appealing enough to warrant a switch, but Asus’s Xandros repositories is extremely lacking in timely updates. More importantly, although the device is intended and, in my case, used as a secondary and more travel-friendly computer, it lacks even the most trivial level of data security. Out of the box it supports but doesn’t require authentication for the user, never requires authentication for a ’sudo,’ and lacks any sort of full-disk encryption solution. The first two problems aren’t impossible to remedy, but I’ve had to go back to an unauthenticated state due to the device’s rare, intermittent refusal to recognize its own mouse on boot and refusal to allow a soft-shutdown from the astandard login screen. The lackluster login prompt is simply a screen-blocking application launched after the WM, leaving it open for attack as well. Obviously neither of these are a problem in Ubuntu or Windows, and I’d be shocked if they were issues in Moblin et al.
The third, however, is a much bigger problem and present not only in my first generation device but in the second and the newly announced third generation, as well. This is more than a little bit disappointing. Given that some tests show up to a 45% performance hit at peak degredation, I understand that the Celeron & Atom class processors probably shouldn’t be expected to do this work and still manage to play SD video without stuttering (HD’s out of the question in the first and second generation, and most of the third). I do not, however, understand why no vendor has whipped out an enterprise-class netbook with hardware-based encryption.
As stated elsewhere, a netbook is a much greater security hazard due not only to configuration-related user behavior, but are designed to be moved about more and to be used in public more often than a normal laptop. Given the massive damage that can be done to a person that just loses control of an email account, much less cached banking passwords and information, this is just simply unacceptable.
Why hasn’t anyone jumped on the opportunity to utilize VIA’s Nano in an enterprise-class netbook for its hardware AES support? Why hasn’t anyone announced a single product incorporating disks with integrated encryption? Why hasn’t anyone linked the prior to options to facial recognition with a preexisting, standard-issue webcam? Why does even Lenovo, who makes it nearly impossible to buy a regular laptop without widely supported cross-platform, biometric full-disk encryption (and single sign-on in Windows – scan your finger once at boottime, and that’s it) refuse to ship even its high-end IdeaPads with biometric scanners, much less their netbooks? Why on earth haven’t the most travel-friendly class of real computers had this feature available, at least as an option, from the beginning?
Samsung and UPEK offer two slight glimmers of hope, but both are long shots. Neither company managed to bring a single vendor in at the initial announcement, and neither has made a single related announcement since. ASUS offers another, but misses the mark. Fujitsu hits it, but in an OS-specific manner and at an incredible cost.
- UPEK, the makers of the biometric scanners found in ThinkPads and a handful of ASUS products, recently announced a netbook-centric marketing push. Announced in February, it apparently missed any mention at all at CES 2009 et al.
- Samsung announced a new class of SSDs with integrated full-disk encryption,but announced it during CES 2009. They get a pass for now, but with no pricing data or announcements of OEM sales, it’s difficult to tell how much hope to pin on this one.
- ASUS’s high end Eee PC 1004DN actually has another vendor’s fingerprint scanner onboard, but they haven’t announced if they’ll half-ass its implementation like the OS authentication-only scanners in HP laptops or if they’ll use it to provide real data security. AuthenTec’s press release seems to imply that that will, sadly, be the case. Note their stress on “file and folder” encryption – Integrating biometric-backed Windows authentication with the per-file encryption already supported by the OS is nice, but doesn’t come close to cutting the mustard in an enterprise setting.
- Perhaps the only option that’s currently on the market is Fujitsu’s old pre-netbook-fad LifeBook P1630, but even its solution is just a fingerprint scanner that can communicate with a Micosoft Trusted Platform Module, only truly useful with high-dollar builds of Windows Vista and Windows 7. The product predates the Atom, and starts at an incredible $1800 USD.
(Quick side note to Fuji and other biometric-friendly OEMs: You people do realize that a thief can have access to all the data on a laptop that only has OS and BIOS level biometric or password authentication through a quick BIOS reset and possesing a LiveCD, right?)
This situation should improve at some point in the not too distant future, but the present outlook is a bit bleak. Until then, I honestly don’t see the point to picking up another netbook until a vendor-supported solution to this problem is made available, although home-partition encryption through DM-Crypt in Ubuntu might work as a stopgap. I will, however, be first in line to order a machine with Moblin or something similarly snappy at boot time that manages to allow for single a single authentication in the boot process, both for decryption and OS authentication ala my old ThinkPad. I’d give my left pinky for a device that pulled that off and gave me an Nvidia chipset or a VIA-compatible chipset with similar GPU performance. Lenovo, are you listening?
PS: One last thing to think about: Would one of the new Tegra smartbooks or other Nvidia-related products have enough of the work of video decoding shifted off of the CPU to allow for software full-disk encryption and HD video playback without a problem? Wouldn’t want to be the first to try and find out, but that’ll be interesting to see as well. Still not adequate for consumers at large, though. We shouldn’t expect a non-system admin to independently install TrueCrypt et al by default.
Many thanks to our host, 