I wonder how many people lock their laptops because they’re worried about “hackers” versus how many do it because they have an obnoxious friend. Don’t want to get hacked? Don’t be friends with this guy.
Or don’t install bash.
One company I worked at deliberately cultivated a culture of “if someone leaves their laptop unlocked you send a silly email to the company-wide list”, similar to Google’s “tailgate someone and they buy you lunch”. It was much more effective at getting people to lock their computers than sending monthly emails about it, and people tended to be creative/funny about it rather than obnoxious (or maybe that’s just a difference in perception).
Not sure if we worked at the same company, but same situation for me at a past company. I took a screen shot of my desktop and set that as my locked “screen saver” to trick people into thinking I was leaving it unlocked when I would get up to leave my desk. It was a real laugh.
Where I work, you’ll almost definitely end up with some crazy wallpapers or other inconvenience (like accessibility tools on, or rotated displays, or disabled mouse/keyboard) if you leave your computer unlocked. It’s mostly just a fun way of making sure people don’t leave their computers unlocked, though afaik it isn’t officially condoned by the company.
If the article had said coworker instead of friend I probably wouldn’t have thought twice about it. I think it depends on the context and the result as to whether doing this sort of thing is obnoxious or not.
I have xscreensaver set to start/lock after 10 minutes and I don’t immediately lock my computer every time I stand up because my threat model doesn’t include a crack team of hacker-ninja paratroopers crashing through the roof the second I leave the room. And I’m not going to lock my computer when I leave it unattended with a friend (who I presumably trust) around just on the off chance they one day get exposed to red kryptonite and decide to steal my ssh keys. But if my friend Bob decides I need to see the error of my ways and start taking the threat of flying computer ninjas and mind-altering comic book rocks seriously, and changes my terminal font to comic sans every time I run outside to catch a pokemon, assuming I couldn’t just change the locks or fake my own death to get rid of Bob, I’d start locking my computer – but only when Bob is around. So in this case there is no real threat, Bob has become the only threat by trying to demonstrate that there is a threat, and the result isn’t useful. Bob is being obnoxious.
In a workplace, that coworker who is sending that company-wide email professing your undying love of Taylor Swift could just as easily be harbouring a grudge from that time you forgot their birthday 5 years ago and instead send corporate secrets from your machine in an attempt to get you fired. In this case, after putting up with people breaking into Shake It Off every time you enter the room for a week, you’re likely to start locking your computer at work. And others might learn from your mistake. So there is a real potential threat and the shenanigans produce a real, useful result.
The author doesn’t state the context, but I have a feeling that any situation where a friend leaves their laptop unattended and unlocked and another friend is able to run this script is going to be closer to Bob than Taylor Swift.
I don’t immediately lock my computer every time I stand up
Why? You’re being sarcastic and I get your perspective, but consider this. It takes a key combination to lock your computer, so what’s stopping you?
The largest threat to any company are malicious insiders, whether they’re disgruntled employees or “agents”. Why take the risk?
Additionally, if you were being targeted, it would be as simple as following you around to a coffee shop, distracting you/waiting for you to get up and get your latte, and running a single command like in the post. If you always lock your computer, you’ve thwarted that vector.
With full disk encryption on by default, a locked device is hard to break into. Look at Apple v. FBI.
Up your OPSEC!
I think some people feel psychologically more relaxed when they aren’t thinking constantly about such threats. I think that’s valid.
I’m in the opposite camp; I can’t stand up without reflexively locking my screen, because I’d be too stressed if I forgot to.
Neither of these is an actual security posture. :)
It takes a key combination to lock your computer, so what’s stopping you?
The key combination to unlock it is a lot more complicated :-)
I’m not saying I leave my laptop unlocked and unattended in coffee shops, where I’d probably be more worried about it being stolen than someone messing with it anyway, just that I’m not sure locking my computer whenever I go to make a cup of tea is going to change anything.
Because unlocking a computer requires a password which is easily spied upon, and then used for more mischief later, when I really do want my laptop locked.
Yubikey has a (poorly written) Windows app to allow you to login with a tap.
It’s a nice flow, they don’t advertise it at all though. If anyone has a Yubikey I recommend checking it out.
With full disk encryption on by default, a locked device is hard to break into.
Not if the device is a computer currently holding the decryption key in RAM external to the CPU, which is typically the case when a screensaver is running.
I lock it because I’m that guy. I once changed a coworker’s keyboard layout to turkish when he was away and in turn he switched my system region (not language, not keyboard) to Japanese… I only noticed weeks after because the weather widget in my start menu was in Japanese.
Ok that’s stupid, the real reason I do that is because I don’t want people peeping on my IM logs, we tend to be talkative between coworkers and some topics are private, that’s all.
This is why I’ve setup this page and browse to it when friends/colleagues don’t lock their devices. Simpler and gets the point across.
If you do this you are the problem, not the solution.
You should absolutely be locking your laptop when you turn away from it, and you should lock your phone every time it isn’t directly in front of you, including if it’s in your pocket or bag.
That said, please don’t do what the author did. That is a full blown C2 (command and control) driven RAT (remote access tool, aka trojan). It is a bad idea to do this if you don’t want there to be a huge hassle when someone overreacts at your joke. Consider that all the infrastructure is tied to you and Heroku has no qualms about cooperating with an investigation. The CFAA is not to be fucked with.
I work from home and I still lock my laptop when I walk away. It’s a habit by now
Closing one’s laptop is perhaps the easiest if you’re running OSX. For the life of me, I cannot understand why there isn’t a fast lock hotkey for OSX (like Ctrl + Alt + L [Ubuntu variants] or Win + L [Windows]).
Ctrl + Alt + L
Win + L
The closest thing OSX has is Cmd + Opt + Power, which puts the machine to sleep. This isn’t useful if I want to step away from my machine while I’m SCP'ing a large file to a remote server! Just because I’m stepping away from the physical machine doesn’t imply I want it to go to sleep.
Cmd + Opt + Power
There is a hotkey: Alt+Shift+(Eject or Power, depending on your Mac). You just have to set up in system preferences that after monitor shutdown, it has to prompt for a password.
This way, the screen will turn off and when you reactivate it, it will ask for a password.
Ah sorry, yes! It’s been a while since I’d last used my Macintosh computer.
Thanks! Can’t believe I never came across this particular hotkey after all this time of using a Mac :)!
On my Mac I configured a hot corner to lock the screen, so I just swipe the mouse down to the lower right corner of the screen and it locks immediately. Here’s a tutorial: http://it.emory.edu/security/screensaver_password.html
I use Alfred (Spotlight search replacement), which has a lock command, along with other useful commands like eject.
I have a good story about this. Once I left my facebook logged in around my friends and one of them set it so all my facebook posts were private, except for to my brother.
Because my brother was still replying to me it remained like this for 1.5 years. After I finally realized, and made a post, I got 20 thumbs up. I had just assumed nobody was interested in what i was saying.
Don’t you need some kind of password to curl x | sh?
Additionally this ‘hack’ requires physical access to the device, I am sure a ‘hacker’ who is actually friend with the target and is sitting right next to him 8 hours a day at work can come up with some way to ‘hack’ the device even if it is closed.
What’s key here is not the ‘hack’ itself but the social relationship between the target and the ‘hacker’. You could ‘hack’ the target’s brain in this scenario by rabbit sucker punching the target from behind. It would be like running rm -rf on his brain.
No, as long as stuff stays in user space. And while there’s certainly a lot of interesting stuff when you got root access, you can set up interesting stuff without it. For example something that reads all changes to the accessible file system and sends them to your server. On an operating system that is just used by one user, that is already almost everything.
And if you really need root, install an X11 event logger and wait until the user types the root password.
On OS X? :)
Without jest, that’s one of the biggest issues I see with Linux: X11s (lack) of isolation.
Don’t know how Aqua works.
X11 is indeed horrible in many respects. And even without it, Unix lacks isolation (see peekfd(1) on Linux or watch(8) on FreeBSD).
Recently xorg started to run as my user on all my (sid) Debian machines. This broke stuff for me, since I’m not using a display manager nor whatever HAL is called today, etc. I just do startx and I have my .xsession exec a window manager.
The takeaway is that xorg doesn’t (or soon won’t) run as root on Linux anymore. :)
The problem is not the user X11 runs under, but the level of isolation between X11 applications.
Closing my laptop doesn’t stop someone from drive by insertion of things like a trojan usb stick or thunderbolt device.
Those things can as bad if not worse than someone logging in. If you don’t want to get hacked in that case, never leave the laptop out of your sight.
It certainly does stop those attacks though! Your computer won’t do anything with a device if you’ve closed to the lid.
Also OS X/macOS doesn’t autorun media like Windows does, and even Windows' autorun is disabled by most companies' policies. Linux systems don’t give a hoot when you plug in a device.
If you’re thinking of a teensy/rubber ducky style attack where the USB device emulates an HID input, those are also thwarted because you can’t do much from a lock screen besides login or shutdown.
The Thunderbolt/FireWire DMA attacks are worrisome, but if your system is even mildly up to date you’ll be fine.
The greater risk is someone casually leaving a USB drive on your table and expecting you to plug it in and double click sexy_pics.jpg.exe :)
It certainly does stop those attacks though!
It would, if USB were secure.
I don’t think that’s relevant. A USB device with tampered firmware isn’t going to do anything worse than a device designed to be malicious.
Oops, wrong link. I meant something more akin to this. (I’ve only heard about USB host-side kernel and firmware bugs in general terms, never looked into it in depth.)
Heh, yeah, the idea that if you just lock it you’ll be fine is kind of victim-blamey. Security is really, really hard, and it’s debatable whether any existing hardware is secure against a prepared attacker who’s got physical access, even briefly. (Chromebooks are the only contender.)
At work, we use a collaboration platform called Cisco Spark to communicate with other teammates. When I see an open, unlocked laptop, I go onto Spark and write in a room full of many people “I’m bringing a cake for the team tomorrow!” This has been proven to be an effective reminder to close laptops because there has been a lot less cake since I started doing this… ?
Be mindful of the context and likely reaction if you do this. I did something similar at a corporate job once and it didn’t go over quite like I’d hoped…
My coworker was a BSD guy who didn’t realize shutdown on Windows nags you after a small delay about uncooperative processes. I noticed after he’d left, so I hit cancel, dropped a text file in his Startup folder, shut down for real, and headed out the door.
The next morning my coworker came in and booted up. Notepad immediately popped up a message saying “You’ve been h4x0r3d: secure your box you fat bastard.” Not knowing Windows and probably distrusting it in the first place, he filed a security ticket. When I rolled in at 10am the sec team had unplugged his workstation and were in the process of carting it off to investigate. Oh the fun conversations we all had together that day.