I must be getting older, as things like this would never have happened to me a few years ago. I lost my laptop at the Heathrow airport. It was not even stolen, I forgot it at the security check. I got distracted by the security officer asking to see my liquid items, and taking a lot of time to check them, that I simply left the laptop in one of the trays. How dumb of me. Anyway, the number of measures I took to prevent someone to hack into it and steal data, in hindsight, have proven at least partly effective.
Pick A Strong Password. This should be obvious, but oftentimes passwords are just plain obvious.
Encrypt vital data with TrueCrypt and use a strong pass phrase. A volume encrypted with TrueCrypt, provided you use a very strong pass phrase, is virtually immune to any kind of attack that does not make use of quantum computers (just to make it clear: quantum computers do not exist at the time of this writing).
Encrypt other important data with NTFS EFS. NTFS’s Encrypting File System is a decent way to prevent Average Joe to dismount your hard drive and peek at your files. Unluckily EFS is not immune to more sophisticated attacks like brute forcing your Windows password, or fiddling with Windows’ users database, but it surely prevents the average thief (or lucky finder) to see your data. Of course I assume the NSA is not after you: in such case EFS is no good.
So far so good. What did I miss?
Encrypt EVERYTHING else with NTFS EFS, especially your user profile folder. I failed to do this out of laziness I admit. Failing to do allows to easily peek at, for example, your browser open session. I’m not sure how effective that is, because applications are able to copy files from other locations, causing them to be unencrypted. YMMV.
Be aware that Dropbox does not have a remote wipe function. Besides using NTFS EFS on the Dropbox folder as well as its cache folder (which I did), there is no reliable workaround for this problem. You could leverage Selective Sync and create an “evacuation” folder, not synchronized on the laptop, where you put all of your files in case of emergency, causing them to be deleted from the laptop the first time it connects to the Internet.
Now a couple of bonus items.
Use a Mac with Bootcamp. The funny thing about Macs running Windows via Bootcamp is that you can’t start a Windows setup CD/thumb drive without first configuring Bootcamp from OSX, nor you can easily access the BIOS (or actually EFI). This is another layer of security, although I’m not sure how robust it is. Again, your target is Average Joe.
Use TrueCrypt’s full disk encryption. It seems like a very complex process, but it might be worth it. I will surely have a look at it next time.
Luckily, the airport Lost Property office collected the notebook and I was able to arrange for a relative to pick it up for me. This time I’ve been very lucky, but it’s now clear to me that Dropbox poses serious security risks. As I mentioned, I discovered when it was too late that no remote wipe exists, so I contacted Dropbox’s support to ask if it was possible to move my Premium subscription to another account and delete everything from my current one (so the data would get deleted on the laptop too in case it was booted and connected to the Internet). It took them roughly 48 hours to respond to my request, without actually answering my question and simply suggesting to change password and unlink the lost PC from Dropbox. Luckily they don’t run the Heathrow airport…
Bottom line: be quite paranoid.