Hackers, Activists, Journos: How To Build a Secure Burner Laptop

sarahnaomi writes to describe a presentation by security researcher Georg Wicherski at the t2'15 infosec conference; Wicherski outlined in his talk several steps that could be taken to render an ordinary Chromebook immune (or at least very, very resistant) to malware attacks, even when an adversary has physical access to it. These customizations make it difficult for an attacker to use any sort of turnkey solution, presenting a barrier to any off-the-shelf equipment attackers might use. At border crossings, Wicherski said possible attackers might have "an appliance, that comes with a manual, and low-skilled operators." By using a setup that is not very common, the border cops might not know what to do.

If border cops don't know what to do,

[fustakrakich]

They'll just keep the device. "Burners" are almost as good as the one time pad.

Re:If border cops don't know what to do,

[sexconker]

No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.

Re:If border cops don't know what to do,

No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.

I hate to paint this kind of shit as a good thing, but the more abuses that are brought to light, the more chance of real enforcement reform.

Body cameras are merely a starting point.

Re:If border cops don't know what to do,

[myowntrueself]

No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.

Except it won't be illegal because it'll be at the border.

Re:If border cops don't know what to do,

then illegally hold you without charging you anything

Hey, at least it's free!

Re:If border cops don't know what to do,

Yep. Don't visit third world countries where you have no rights. That's the answer.

Re:If border cops don't know what to do,

[fustakrakich]

Well, the idea behind the burner anyway is to avoid keeping anything important on it, so open it up for them. And for the border you should have burner email, facebook, etc accounts also that have nothing but cats and laughing babies, maybe some soft lingerie porn to avoid making it too obvious.

Re:If border cops don't know what to do,

[U2xhc2hkb3QgU3Vja3M]

To make sure it's not obvious, keep a few gigabytes of regular porn, 3d porn, hentai porn, furry porn, tentacle porn and futanari porn.

Fight for your bitcoins!

Re:If border cops don't know what to do,

[U2xhc2hkb3QgU3Vja3M]

Okay, so that means no visit to the U.S.A. We've seen what your own government does to its own people, we don't want to set foot there.

Fight for your bitcoins!

Re:If border cops don't know what to do,

...avoid making it too obvious.

This - Because human rights at American borders appears to be non existent: any non compliance strategy is not enough - so yes add porn, add MS windows, make your device look "normal" and compliant with their meddling.

If you do encryption and any other hardening then you must also make sure it's extremely difficult to tell that either your device is hiding something or make sure that their malware / backdoor etc appears to be successful... otherwise they can use the various non-technical ways to force you into submission... The key is letting them think they have won and making damn sure they never find out.

Re:If border cops don't know what to do,

[Coren22]

Assuming AC is from the US is a little bit much. I think the AC was calling the US a third world country instead.

Re:If border cops don't know what to do,

Then they just look through the computer's history. Oh, work at xyz company as an admin? Better cough up your username and enterprise admin creds or you will be lighter a few fingers (if it is Third World country), or a record gun or drug haul might be found with the laptop (if a more developed country). Other countries like the UK will just have the magistrate demand access to the AD network, if no, tack three years on the sentence, ask again. After 20-30 times, that is effectively a life sentence under RIPA.

I've wondered about having a second proxy in place. That way, if the adversaries get your machine, find you are going, they then get access to the remote VDI server (which is well out of their hands for physical seizure, so duress codes on the remote and plausible deniability is a LOT easier to do.)

Why Microsoft doesn't put the ability to have a duress function in AD is beyond me. This would:

1: Allow access, and notify everything in logs that the user is being coerced.
2: Allow access for "x" amount of time, boot the user out and lock the account.
3: Allow access, but send all actions to a log server.
4: Allow access, but sandbox all actions so changes don't actually get applied.
5: Offer documents, but they are generated with fake usernames and such.

Some of the above are almost impossible to code, but at the minimum, it would be nice to have duress functionality that warns the company about the user being compromised.

Re:If border cops don't know what to do,

[willworkforbeer]

No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.

So that's the title of the sequel: 50 Shades of Grey on the Border

Re:If border cops don't know what to do,

[plopez]

you go first.

Re:If border cops don't know what to do,

[plopez]

Which covers 2/3 of the American people:
https://www.aclu.org/know-your...

Re:If border cops don't know what to do,

They'll just keep the device. "Burners" are almost as good as the one time pad.

I don't get the one time pad comparison as one time pads, to this day, are some of the most secure encryption methods available for information security. And yeah, they'll keep the device and you until you let them into the device. The article's supposition and the software being described are both, stupid. Backup and wipe your devices when traveling abroad. Load only the data you need and use a secure password that isn't associated with anything else. No problems.

Re: If border cops don't know what to do,

[TimMD909]

Simple: add a second password, that when logged in with, puts it into that mode. Make it look like a normal login but immediately sound the silent alarm.

Step 1

Install APKs host file generator so you don't have people tracking you by your DNS lookups.

way to go DHI

I love it when an article is published with incomplete links, and/or an explaination of the content..
DHI Do Hide Intentionally
I wonder what the vetting process for articles is??
(do we recognize the author or submittor)
Perhaps thats it..

Re:way to go DHI

[AmiMoJo]

It's a shame that TFA seems to suck, because this is a big concern for a lot of people. I encrypt my laptop, but at the border your rights are severely diminished and they can do all sorts of nasty things to you. So far the best option seems to be to carry an innocuous laptop with nothing of interest on it, and mail myself an encrypted flash drive with the real OS and data on it.

Even with a phone you can do a "nandroid" backup (on Android) of the real OS, wipe it back to factory and then restore when you reach safety.

Re:way to go DHI

[myowntrueself]

It's a shame that TFA seems to suck, because this is a big concern for a lot of people. I encrypt my laptop, but at the border your rights are severely diminished and they can do all sorts of nasty things to you. So far the best option seems to be to carry an innocuous laptop with nothing of interest on it, and mail myself an encrypted flash drive with the real OS and data on it.

Even with a phone you can do a "nandroid" backup (on Android) of the real OS, wipe it back to factory and then restore when you reach safety.

And that backup goes online, encrypted and you download it once you are across the border.

Done that with laptops as well.

Re:way to go DHI

[U2xhc2hkb3QgU3Vja3M]

Nendoroid backup?

Re:way to go DHI

[cayenne8]

but at the border your rights are severely diminished and they can do all sorts of nasty things to you.

Ok, I'm assuming you mean the US border. Has there been any serious documented abuse or "nasty" things happening to people with a laptop trying to come back into America?

This is all news to me...

Re:way to go DHI

[AmiMoJo]

The UK is pretty bad. In any case, most borders are the same. You are going to miss your plane to get sent home, what are you going to do?

Re:way to go DHI

I've hopped borders a lot in the past few years. Entering the EU is a breeze: they genuinely welcome you, especially if you make an effort to speak the local dialect, and no one cares whether you have a bag or not, let alone what might be in the bag. Entering the UK is a bit tougher, unless you come from somewhere the border guard likes (I was coming from Florida at the time, and the guard's daughter lived there, so I got the royal treatment). Entering the US (Newark, Miami) sucks hard because of the long lines, but I've frankly never seen anyone's bags or stuff searched. Lots of holdup because the non-citizens, none of whom understands more than three words of English, get in the wrong lines (the ones reserved for citizens) and have to go through biometric ID.

No border guard has ever even mentioned my laptop or backup drive. The laptop is a Mac with full-disk encryption turned on. The backup drive has hardware encryption, software full-disk encryption, and encrypted backups on that encrypted partition. No one even cared that I had a bag, frankly.

I suspect that to get your bag searched or to get the border guard to care about your computer, you have to be on a list. Also, don't wear a tie. People who wear ties can murder someone in front of a border guard and still have nothing to declare.

Where's the link?

[cruff]

I don't see a link to said presentation...

Re:Where's the link?

[MagicM]

You see where it says "vice.com" in the header? You're supposed to click there.

Yeah, I don't want to either.

Re:Where's the link?

Click on Vice.com next to the title.

Re:Where's the link?

[newbie_fantod]

and the linked article still doesn't tell you "how to build a secure burner laptop", only that some people can and do do it.

Re:Where's the link?

[Last+Warrior]

I'm skeptical about the whole thing. The base platform is a chromebook. By definition, chrome and anything developed by google has hooks which phone-home. If you are going to build a locked down system, you should probably start with something that doesn't already leak like a sieve and have build in backdoors and malware in the operating system.

Re:Where's the link?

[demonlapin]

He wiped the drive and installed Linux.

Re:Where's the link?

[painandgreed]

You see where it says "vice.com" in the header? You're supposed to click there.

Yeah, I don't want to either.

Sorry, I've learned that if vice.com is in the URL, it's not worth clicking on.

Re:Where's the link?

[painandgreed]

and the linked article still doesn't tell you "how to build a secure burner laptop", only that some people can and do do it.

You were expecting actual knowledge from a vice.com article?

Re:Where's the link?

Even so, there are things like vPro and other items which will phone home. For example, LoJack for Laptops is a common feature, which if one installs Windows, will auto-install itself because hooks for it are part of how the laptop loads. Linux or not, it will load regardless.

Then, there are cellular providers which tag HTTP traffic to ID you regardless.

Want to know how to fix this? Comes with Linux:

1: Create a VM that you do your work in, be it Linux, Windows, or whatever. If on OS X and using VMWare Fusion, OS X can be virtualized. Put it on a standalone vSwitch, not connected to the host, nor anything else.

2: Download PFSense, build a VM image, one interface (the LAN interface) on the same vSwitch as the VM in step 1. The second interface (the WAN interface), use NAT or share the hosts' adapter. I use NAT so upstream switches which shit their pants when a box has more than one MAC address are happy.

3: Configure PFSense to tunnel all traffic coming from the LAN segment to the WAN through your VPN provider.

4: Work on the VM in step 1 as usual. Eavesdroppers will just see encrypted traffic, geo-locaters will get the IP of the VPN, ISPs which tag HTTP transactions will be foiled, and you can add deny ACLs by IP onto the PFSense firewall to further lock down traffic.

5: If you feel like it, add Dan's Guardian to PFSense, and add hosts files there. This provides a transparent proxy without editing anything on the "inner" VM. To boot, if the inner VM gets compromised, it will be hard-pressed to phone home, plus (assuming one keeps snapshots), you can roll back those.

The downside -- virtualization is RAM hungry, and because you have multiple operating systems wanting to hit the disk at the same time, it is highly recommended to put at least the OS part of the VM images on a SSD so they are not all fighting for a platter.

The upside is that you have layers of security, including a built in firewall, helping mitigate compromise on a number of levels. Physical security is also easily handled because most virtual machine products have encryption, so one can encrypt the VM. Of course, the VM can use BitLocker or LUKS for encryption inside it, but it is always better to encrypt outside the VM to ensure an attacker can't touch any part of it.

Another upside is that backups are brain-dead easy. For a complete VM backup, plug a USB external drive in, copy the image files, unplug it. Done.

Of course, the best upside is that the bare metal can easily have vPro or other items telling its presence and location... but because of the VPN stuff happening on another layer, the data to and from the inner desktop is completely isolated from that.

Re:Where's the link?

[easyTree]

http://xkcd.com/538/

WTH?

A Chromebook is not a laptop!

Re:WTH?

[CCarrot]

A Chromebook is not a laptop!

Agreed, but from TFA, seems like they were chosen because they're cheap (in every sense of the word), therefore people would feel more comfortable using them as 'burner' laptops (or pseudo-laptops).

Re:WTH?

[U2xhc2hkb3QgU3Vja3M]

When I need a pseudo-laptop, I prefer to use a P-P-P-Powerbook!

Fight for your bitcoins!

Security by Obscurity

I certainly won't read the RTFA, as an AC, but this seems silly. You are saying that by using obscure hardware and software, attackers won't know how to put their off-the-shelf industrial malware on your equipment? Anyone with such a large-scale operation will either find another way in, or be eclipsed by all the malware that gets there by other means anyway.

Just making yourself a target

You're just making yourself a target for these border cops if you have a "suspicious" laptop. Get ready to be held against your will and interrogated.

I'd think there's better, more subtle ways to protect yourself.

Re:Just making yourself a target

[bobbied]

I'd think there's better, more subtle ways to protect yourself.

You mean like encrypting your hard drive?

Personally, If I figured I had a lot to hide, I'd set up my machine to require manual intervention while booting. Set up a boot loader that silently boots to a decoy, throw away, it returns to it's initial state every time system that you use for things like web browsing and game playing. Encrypt all the rest of the partitions used for the *working* system where you keep the stuff you want/need to keep secure. You boot to the *real* system to work by knowing that the boot loader can be interrupted, directed to the real system and will only then request the decryption key.

In this way, you just power up the system when asked, they "inspect" it and it looks like what they expect to see.

Links?

The links provided say nothing about what is discussed in the summery. I realize this being slashdot no one reads the article but come on. One is the definition of the term "turnkey" off of wikipedia, another is just the core boot home page, and the third is a two year old posting on Bruce Schneier web site about yet another NSA exploit. None of the links connect to the summery at all.

could we at least post the link in the summery somewhere?

they know EXACTLY what to do

might have "an appliance, that comes with a manual, and low-skilled operators." By using a setup that is not very common, the border cops might not know what to do.

Oh, they know exactly what to do.

"..border guards confiscated his laptop and phones and detained him, telling him he would not be allowed to leave until he gave them his passwords."

This is a solved problem as far as they are concerned. You sit in a room until you unlock the device for them. Lawyer? You don't get no steenkin' lawyer.

Re:they know EXACTLY what to do

[Lumpy]

Not a problem officer..... It's password99.

and it boots to a clean sanitized setup. "please don't look at my manuscripts in there, I'm not a very good writer and get embarrassed of someone reads my book I am writing. "

and I am on my way.

Honestly, if you are not smart enough to have your real information safely elsewhere then you deserve to be detained. microSD cards are a freaking dime a dozen and can easily be hidden anywhere. Hell put one under the stamp on a letter to yourself at your destination.

Re:they know EXACTLY what to do

Someone didn't RTFA.

This isn't about stopping the border police from reading the contents of your laptop, it is about stopping them from installing spyware in the BIOS. The described mechanism involves clipping a pin off the flash chip rendering it read-only. No regular border cop is going to know how to deal with that and no amount of rubber-hose decryption is going to undo it.

Like all security measures, it isn't about being 100% secure, it is about raising the costs to the attacker.

Re:they know EXACTLY what to do

[JustNiz]

>> Hell put one under the stamp on a letter to yourself at your destination.

Physically mailing storage? really? why wouldn't you just encrypt it and copy it (scp or whatever) to some server then pick it up when you get wherever you're going?
If you're paranoid about cloud storage (which is probably quite reasonable) just run your own server at home.

Re:they know EXACTLY what to do

[Firethorn]

and it boots to a clean sanitized setup. "please don't look at my manuscripts in there, I'm not a very good writer and get embarrassed of someone reads my book I am writing. "

Better yet, a little legal heterosexual porn(think playboy tasteful), some mp3s, some movies, they're satisfied that you're an 'average' joe and you go on your way. You don't want a perfectly 'sanitized' laptop like having a perfectly clean apartment would have the cops wondering and looking for a second residence.

Re:they know EXACTLY what to do

Be generous. Give them something they can't unsee.

Re:they know EXACTLY what to do

What's the point? If the border guards take your laptop away, just throw it away and buy another. If you're going to travel with a cheap "burner" chromebook anyway, it's not worth it to try to preserve it.

Re:they know EXACTLY what to do

[Technician]

For travel, I have considered simply traveling with a Raspberry Pi with no thumb drive and a fresh install of Raspberian. The TSA is welcome to examine it in it's entirety including making a mirror copy of the micor SD. Be upfront with them that the device is entirely devoid of any personal information and contains only the fresh boot image. After reaching your destination, you can SSH into your personal files and buy a local thumb drive. Upon return, replace the micro SD with a fresh copy againi.

If you don't travel with the info, there is no info to be stolen by the governments. Be upfront and honest about it.

Re:they know EXACTLY what to do

> Like all security measures, it isn't about being 100% secure, it is about raising the costs to the attacker.

As my grandfather used to say: there are no high fences, only lazy burglars.

Nicely done, connecting to NSA

[daveschroeder]

Guess what people the NSA isn't going after with something as close-held as the linked exploit?

"Hackers, Activists, and Journos"

I know that doesn't really seem to matter to people, and that it's easier to cherry-pick contextless, misunderstood, fringe examples that are believed to prove some "point", or isolated examples of outright abuse and extrapolating, without any proof whatever, that to mean it is obviously systemic and widespread, instead of realizing that NSA's chief mission, as a foreign intelligence agency, is foreign signals intelligence collection, and that US adversaries use the same phones, laptops, networks, systems, devices, services, and providers as you.

And, stunningly, we still develop ways to actually target and collect against them.

Mind-bending, I know.

Re:Nicely done, connecting to NSA

The NSA will investigate, hack, and bully whomever they please and you're deluding yourself if you think they don't. They may have been "conceived" as a "foreign" intelligence agency, but, as has been clearly shown, they LOVE collecting data on U.S. citizens more than anyone. They may not be specifically going after a particular collection of people, but piss them off and you'll feel their entire weight upon you in an instant. MORESO if you're a U.S. citizen rather than a foreign citizen. They're the government's thugs and bullies and U.S. citizens are the easiest targets that allow them to gain the most power over the most people with the least effort.

Captcha is "degraded". How. Fucking. Appropriate.

Re:Nicely done, connecting to NSA

[Coren22]

Since you know everything about them, perhaps you should start linking to ANY evidence of collection against US citizens.
I have heard lots of wild speculation from the Snowden leaks, but none of it has pointed to actual illegal collection.

Re:Nicely done, connecting to NSA

[Noryungi]

You are so naive it's almost painful.

Of course, the NSA is going to go after you if you are an American journalist. The thing is, they are not allowed to. What a quandary!

What can you do in that case, if you work at the NSA? You just send a memorandum to your good friends at GCHQ, and they will gladly do the spying for you!

And, of course, if GCHQ needs some juicy info on a UK citizen, NSA is happy to oblige. Scratch my back, I'll scratch yours, etc.

Repeat with all members of the "five eyes" (NSA, GCHQ, CSE, ASD,and GCSB) and you cover up pretty much the entire world. But, again, NSA is not "officially" spying on US citizens, no sirree.

Re:Nicely done, connecting to NSA

I see you referenced the Snowden documents.

I suggest you actually read them. Prepare to be enlightened.

Re: Laptops run LUDDITE software.

Needs more app...

Really?

Old laptop, boot from a Linux CD. all done. short of hardware inside it to spy on you it's 100% hacker proof. You can find cheap burners from almost anywhere, just boot from your Linux live CD and away you go.

Really has the state of "hacking" degraded so far that this kind of shit is considered talk worthy?

Re:Really?

[nullchar]

short of hardware inside it to spy on you

You mean like modifications to the bios? Which can infect a running OS even after you boot from another device?

Re:Really?

[mvdw]

So put an md5sum of the bios on the CD, and check it against the running bios on boot. If different, flag an error.

Re:Really?

[nullchar]

If that works, can't you just detect malware using the same method on the regular laptop? (Boot it via cd/usb and check bios and other firmware.) Seems to me a compromised bios could lie about it's checksum.

I guess if you always flashed all your bios/firmware back to defaults from read-only media after crossing a border, it might work...

Re:Really?

[mspohr]

Tails.boum.org
Tor, I2P, encryption

Re:Really?

md5sum. Yep, that's secure.

Why not dual-boot?

Put a vanilla install of Windows on an empty partition and set grub to boot it by default before you hand your laptop to border guards. They can have their fun with it before handing it back, then you wipe the partition when you get where you're going. You don't ever even have to boot it up to let their malware do its thing.

Re:Why not dual-boot?

Because they install the malware inside the BIOS.

Re:Why not dual-boot?

Of course, you assume that the border drones do not put some sort of hardware or firmware-level rootkit in your machine while they have it.

Everything has to start executing code from somewhere...

I default boot to Windows for TSA, customs clerks.

[raymorris]

Personally, when I vacationed in Jamaica I set the bootloader to default to Windows rather than a serious OS with anything important on it. That should take care of 99% of TSA employees making $12/hour, and front-line customs clerks. The people I dealt with were probably working at Taco Bell the month before, they weren't top-tier forensic scientists.

Re:I default boot to Windows for TSA, customs cler

Wow. Someone is feeling very superior and smug today. Ever wonder why you don't have any friends? That's why.

er...

[sociocapitalist]

Where's TFA?

Re:er...

[Coren22]

On the title bar, where is says vice.com I agree, it is a little confusing.

Re:I default boot to Windows for TSA, customs cler

Someone couldn't get a TSA job and is stuck at Taco Bell.

Re:Laptops run LUDDITE software.

[phishybongwaters]

I really wish i had as much free time as you do

Why do you need a "secure" burner laptop?

[pla]

Why do you need a "secure" burner laptop?

I don't mean that in the "if you have nothing to hide..." sense, but rather, the whole point of a "burner" comes from the fact that it doesn't have anything to hide on it. You pretty much just revert it to OEM condition before each trip, and if some hostile government-authorized terrorist agency like HSI (formerly ICE) decides to steal it from you (or hell, if a random thief decides to steal it from you), you haven't lost anything but the hardware.

Hey, I completely agree that we shouldn't have to put up with that sort of bullshit or take steps like prepping a burner laptop every time we want to go on vacation; but "securing" it just makes it look even more tempting to the idiots at the gates; similarly for setting up a UI that Officer Shout-and-Taze doesn't immediately recognize as Windows or OS X or Android or iOS.

If you want to make a stand, I fully support you. But if you just want to get on with your day, spare yourself from your own cleverness, and just restore to factory default and give it a highly secure password like "password".

Re:Why do you need a "secure" burner laptop?

[aaaaaaargh!]

I think the idea of this admittedly cryptic article is to have a laptop that is temporarily secure against certain spyware modifications so it can later still be used to download the encrypted data on the other side of the border. The alternative is to buy a new computer every time you travel.

Re:Why do you need a "secure" burner laptop?

Because we need to discourage our government from gathering information on us (and corporations, too), because they use that information against us.

Either for direct political reasons or to relieve us of our money.

Everyone here should already know this.

Re:Why do you need a "secure" burner laptop?

the whole point of a "burner" comes from the fact that it doesn't have anything to hide on it

No, the point of the "burner" is that it is inexpensive enough that you won't cry if it gets stolen or if border officials decide to keep it. This gets more likely if you are a reporter known to be working against the interests of a government, since you will probably be on a border monitoring list.

Secure or not is a separate issue.

Re:Why do you need a "secure" burner laptop?

If you are a person of interest, it's obvious you won't carry sensitive data across a border where you can be searched.

The security services are not quite as stupid as you imagine.

Under one or other pretext they'll seize your laptop, then modify the BIOS so that it logs your activity. Encrypted or not, they'll get your encryption passwords as you retype them. You think you're all safe because you wipe/restore your laptop. Whereas if they do decide to hit you, they take your bugged laptop and everything is on it.

So (a) replace the standard bios, with its hooks for psyware, and (b) cut the write pin so it can't be reburned.

Re:Why do you need a "secure" burner laptop?

[pla]

Ah, thank you, that makes a ton of sense!

Re:Why do you need a "secure" burner laptop?

[david_thornley]

If you suspect that might happen, buy a cheap laptop for crossing borders, and either know how to reset the BIOS or sell it on eBay when you're home.

Only Freeware and Warez

[Guy+From+V]

Remember, don't take the chance that companies' legitimate software will infect you.

Journos?

[sanosuke001]

What is a Journos? (sarcasm: it means the editor is a lazy typist)

Re:Journos?

It's a European thing. You wouldn't understand.

Re:Journos?

[xxxJonBoyxxx]

>> What is a Journos?

It looks like a Mentos, but it always tilts slightly to the left and has a yellow tint.

Re:Journos?

This is the first time in my life I've heard the word. Probably some newspeak, I guess I'm getting old.

Re:Journos?

C'Mere. I'll introduce my fist to your face. And I'll ask, "Oh, was that journos?"

Captcha: parsing

Re: Journos?

Ah, it must be some nazi ubermensch master race thing then.

Re:Journos?

It's retard for "journalists"

incomprehensiblearticle

[goombah99]

WTF? this is just a link to a logo for COreboot. no explanation of what it is or what makes it different other than just saying "its secure".

Re:incomprehensiblearticle

[U2xhc2hkb3QgU3Vja3M]

You can't hack their logo, so I guess it's secure.

Fight for your bitcoins!

Re:incomprehensiblearticle

[unrtst]

Came here wondering the same thing... where the fuck is the story/documentation/info?
Where's the "Homeland" style setup (Doctorow, not Fox)?

THe Christopher Walken Solution

[goombah99]

Coincidentally slashdot deals has a banner ad for the christopher walken (Pulp fiction) solution to taking your computer across the boarder privately.
https://deals.slashdot.org/sal...
Which is just the right size to hide any place you could fit a wristwatch.

Re:Laptops run LUDDITE software.

[U2xhc2hkb3QgU3Vja3M]

And yet you have enough free time that you seem to know about his multiple posts about "apps" and enough free time to post a reply to his nonsense.

Fight for your bitcoins! (sorry, no app)

Re:Laptops run LUDDITE software.

Retards like this have free time by definition because they are not smart enough to have things occupy their time. They just stare off into space from behind their drool covered hockey-helmet masks while being driven around on a short-bus all day long.

Re:I default boot to Windows for TSA, customs cler

What makes you think he wants friends? You mean you believe in altruism?

Re:I default boot to Windows for TSA, customs cler

He was only off by a little bit. TSA agents weren't working at Taco Bell the month before because they were working on their AA degree full time. The point is they aren't even EE/CECS/CIS/IT generalists with exposure to computer security fundamentals. To them, any laptop that isn't in some kind of configuration achieved by a default installation of off-the-shelf software might as well be alien technology.

Forensic duplication

[Baron_Yam]

Err... isn't it standard procedure to extract and physically clone the HDD prior to examination, then attempt to crack encryption via rainbow tables?

If you've used a sufficiently long passphrase and sufficiently well written encryption software, they just throw you in jail (assuming we're talking about law enforcement) until you give up the keys.

It's much easier to just use a standard image and use remote access tools to work on a virtual computer that's not within the jurisdiciton/reach of the people you're worried about.

Re:Forensic duplication

[vux984]

It's much easier to just use a standard image and use remote access tools to work on a virtual computer that's not within the jurisdiciton/reach of the people you're worried about.

Sigh. So first we tell people, if you don't want people to see it don't put it on the internet. Hell, if you really don't want it getting out, keep the machine its on airgapped. Simple, right? Then as soon as you want to cross the border ... you jump up and tell them if you don't want people to see it, hey, you should put it on the internet!!

Wait... what?

Its not bad advice per se; and relatively speaking the data may well be safer online then on a laptop at the border.

But its only relatively better... if we're talking about the same data that we earlier advised "don't put this online", then that advice still holds.

So what is the best way to take THAT data across the border with you?

The tubgirl defense

[TiggertheMad]

Interesting resistance tactic - load your laptop with all sorts of disturbing and upsetting videos to cause mental anguish to any government viewers, while concealing and heavily encrypting anything real data. Remember, someone has to look at all this data to make sense of it....

The government can seize and spy on my data, but they better be prepared to go to counseling afterwards..

Re:The tubgirl defense

[KGIII]

Steganography and Tubgirl... You might be on to something.

Re: The tubgirl defense

If you're going to go that way, what you need is a whole bunch of disturbing, but still totally legal, porn videos of yourself. What better reason could a person have to not want to divulge a password, than hours and hours of HD footage of themselves jerkin' it, or something like reenacting classic porn scenes with mannequins? If you were really trying to hide something, super embarrassing, self-porn is a good decoy you can give up when they "crack" you. It's something someone might legitimately hide or refuse to give up a password on; even with threat of contempt or jail. You do a couple of days, then give them something that was worth doing a couple of days over.

Will this sanitize files?

[vms_reboot]

My biggest concern has always been and still is about someone identifying who created/edited a file on my drive. I routinely have to send documents anonymously which I have created and I am always worried about one document having my login name on of my machines attached to the meta data.

Depends on the amount of data...

[Firethorn]

It's one thing if you have a few megabytes of documents, however what if you have sensitive video or something in the Gigs? A 64GB card isn't too expensive, where ~30GB worth of bandwidth might not be readily available out of wherever you're transiting from.

Not to mention that if you're working with a paranoid government(and sadly the USA qualifies today), they might note the data traffic and follow up on that.

Re:I default boot to Windows for TSA, customs cler

What I wound up doing (and this was when I was going to an area where I was more worried about theft and strongarm robberies than anything else) was to have the machine set to boot Windows, and have it have some decoy stuff on that instance... some spreadsheets, a word doc or two, a PowerPoint TPM report, etc.

For my real work, I booted the machine from a USB flash drive, and once the machine had its passphrase entered and mounted its root drive from its 7200 RPM SSD, I could run virtualization software, do the work that needed Windows without too much of a performance loss.

7200 RPM SSD,

[goombah99]

Stand back man that SSD is whipping around.

Re:7200 RPM SSD,

You do realize that hybrid drives are a thing?

Re:7200 RPM SSD,

You do realize that hybrid drives are a thing?

He didn't say 7200 RPM hybrid, he said 7200 RPM SSD.

Pay attention you stupid fuck

Have it shipped

[kheldan]

Why not, if you're going somewhere that you're afraid border agents will pull this sort of bullshit, just have your laptop shipped separately via something like FedEx? Then there's nothing for them to search. Don't keep anything important on your phone, or don't take your phone with you, or take a disposable phone that has exactly nothing on it anyway.

So far as these stories that I hear about being detained and told you're not leaving until you provide passwords? If I'm in a foreign country then I start demanding to see or be taken to the U.S. Embassy, immediately, long and loud until they either give up or kill me. Under no circumstances do I provide passwords of any kind for anything to anyone, ever.

Re: Have it shipped

You would never give up the passwords? Ever? Apparently you have never been tortured.

Re: Have it shipped

Yes, you refuse and get shipped off to a prison and spend the next 6 years being beaten and abused, yet you learn how to be stronger and band up with your cellmate and escape.........

Yeah, no. Life's not a movie and you're not the cool spy you wish you were. There's about a 99% chance it will never come to torture. I'm really laughing at most of the posts here. I kind of picture you lot as the kind of idiot that when confronted by a law enforcement officer you scream profanities until you get shot for being stupid. Maybe if you acted like you were older than 8 stuff like this wouldn't happen.

Re: Have it shipped

No, I'm not stupid, and yes, I understand that in some mudhole countries of the world, I'd be dropped into an oubliette of a gulag, and beaten. I also know I'm a goddamned stubborn son of a bitch who doesn't give in to bullies, because it's just not worth it to have to live with the knowledge that some asshole out there owns you. I'm not married, I have no children, no family anymore, and quite frankly if my life went so terribly, horribly wrong that I found myself in such a situation that I'm being faced with such an nightmare, I'd just as soon life end as quickly as possible -- and pissing off as many of the assholes tormenting me as possible along the way. If a final act of defiance is my only path to achieving that, then that's what I'll do. There are some situations that aren't worth living through, and something so nightmarish as being held against my will in a foreign country with no hope of escape or rescue certainly qualifies.

..and no, I don't scream useless profanities at police officers. One must pick their battles, after all.

Re:Have it shipped

Lets see how you feel when they pull out some of your teeth or remove some of your fingernails. What are you gonna do about it?

Before the border

the disk is cloned, uploaded via encrypted tunnel to a server, wiped, and gets a fresh Windows installation with some regular stuff like Adobe Reader, maybe Office with a few documents downloaded from the internet. It would probably be good to figure out some innocent tamper signs, like a sticker over that one screw preventing you from modifying keyboard internals, a piece of lint under a screw leading to the hard drive. You disable the USB, Firewire, Thunderbolt ports by before hand, unsolder the damn thing if it's critical.

After the border, go in reverse order. If it's an actual burner laptop, you can buy one in country and destroy it when leaving.

Stupid idea

What a completely stupid idea riddled with supposition.

There's an old rule to traveling abroad. Don't take anything with you that you do not have to take, and conversely don't bring back anything you don't have to. This idea would also encompass the data on your personal devices. I also use throw away passwords and passcodes that are secure, but not any I would ever use for anything else. I VPN to connect to the Internet whenever I need to and keep my online activity to a necessity based minimum.

As was suggested above, backup the devices before you leave, wipe them to factory defaults, load whatever data you can't do without for the trip and don't be a smartass at any border crossings. You'll have no problems. I've been doing this for more than a decade now and have had zero incidents.

Re:Stupid idea

[FrozenGeek]

Good ideas. I'd suggest going one step further and travel with a laptop you would not mind losing. For instance, when I upgrade systems, I typically keep the old one for travel, etc. Unless I really need to more powerful new system, the old one will usually do just fine for a few days. Why offer thieves a better payday than absolutely necessary?

Re:Stupid idea

[AJWM]

Heck, go a step further than that. Unless you're going to some third world country or flying direct to the middle of nowhere, you can probably buy a cheap (possibly used) laptop when you get there, then download your goodies from the net or the microSD in your tube of toothpaste (if you're that paranoid).

Wipe it and discard it (or sell it) before returning, after uploading the data or stuffing the microSD back in your toothpaste tube.

When you consider the expenses of travelling, a cheap laptop doesn't add much, especially if you can sell it rather than trashing it.

(The laptop I typically travel with -- even within the country -- cost me all of about $35 used, and runs WinXP and Linux. Perfectly adequate for writing, emails and minor browsing, and I'm not heartbroken if it gets lost or stolen (data backed to a thumb drive at frequent intervals).)

Some real links

This all seems to be based on the standard "how to install linux on a chromebook" stuff, so if anybody is interested:

BIOS write protection jumper: http://www.coreboot.org/Chromebooks

Replacement BIOS: https://johnlewis.ie/

Installing Arch: https://wiki.archlinux.org/index.php/Chrome_OS_devices

Full disk encryption: https://dhole.github.io/post/full_disk_encryption_samsung_chromebook/

Thanks - it does help by avoiding DNS

See subject: For favorite sites you 'hardcode' in hosts avoiding DNS + it's security issues a good 95++% of the time.

This is faster + more reliable than remote DNS (99.999% of which are STILL NOT PATCHED vs. the kaminsky redirect poisoning flaw, abused in routers, and Open DNS (not OpenDNS) resolvers get abused also in malicious exploits too)

&

Far more efficient than running a local DNS server yourself (especially on a separate machine @ home burning more power for nothing as hosts + firewalls do all you need w/ what you NATIVELY have as part of the IP stack itself vs. "Bolting on 'MoAr'" stupidly + illogically).

APK

P.S.=> Hey - "I did good" & I'll let others here on slashdot speak for me on that note:

"his hosts program is actually pretty good" - by xenotransplant (4179011) on Monday August 10, 2015 @03:34PM (#50287195)

"I like your host file system." - by Karmashock (2415832) on Wednesday September 09, 2015 @03:57PM (#50489401)

"APK is kinda right... I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works." - by bmo (77928) on Thursday October 15, 2015 @11:30AM (#50736071)

"Actually, APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience in this context. Of course, your phone has to be rooted, which isn't the case with Firefox + adblock." - by chihowa (366380) on Saturday May 16, 2015 @11:40AM (#49705641)

"his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources" by alexgieg (948359) on Friday September 25, 2015 @09:57AM (#50596461)

"APK isn't wrong" - by cfalcon (779563) on Sunday October 04, 2015 @05:11PM (#50657891)

... apk

Re:I default boot to Windows for TSA, customs cler

[slazzy]

I for one sure don't. I'm just here to troll and annoy people in general.

Re:Laptops run LUDDITE software.

[khelms]

Sounds like a bunch of crapp to me!

Re:I default boot to Windows for TSA, customs cler

It's true. Why would an intelligent individual work for TSA?

Travel Laptop Code

Here: https://github.com/CrowdStrike/travel-laptop

Security step 1:

Don't use a Chromebook.

Re:Additionally: It protects vs. more threats

[dave420]

And unlike other ad-blocking software, your HOSTS software can't block your pathetic spam posts. You are shooting yourself in the foot with every post.

Re:Additionally: It protects vs. more threats

Then how do you see his post to troll him if you're using other adblock software you spoke of? You're not believable.

Additionally: It protects vs. more threats

Can adblock+ do 16 things hosts do 4 speed, security & reliability:

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnets + stop C&C talk
3.) Protect vs. dynamic dns botnets + stop C&C talk
4.) Protect vs. DGA botnets + stop C&C talk
5.) Protect vs. downed DNS (4 reliability)
6.) Protect vs. DNS redirect poisoning
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phish
10.) Protect vs. caps
11.) Get you past dns blocks
12.) Keep you off dns request logs
13.) Speed up surfing (adblocks & hardcoded fav. sites)
14.) Work on anything webbound multiplatform.
15.) Easy data control
16.) Do all that & block ads better vs. addons more efficiently in cpu cycles + memory usage

* ANSWER ="NO" on ab+ doing it as well or @ ALL + hosts = on devices natively.

APK

P.S.=> Ab+ does less vs. hosts less efficiently - hosts do MORE w/ less + Hosts start w/ IP stack before REDUNDANT inefficient addons BEGIN operation (as 1st resolver).

---

Ab+'s a 128-151mb memory hog http://cdn.ghacks.net/wp-conte... (hosts use 3-11mb w/ my program initially). Even FireFox 41 adblock eats 65++mb http://www.ghacks.net/2015/06/...

---

ClarityRay defeats it seeing addons used via native browser methods!

---

Ab+'s bribed not to work by default http://www.businessinsider.com... & ABP bought out adblock http://www.theregister.co.uk/2...

---

Ab+ adds complexity in slower usermode (w/ more messagepassing overhead + context switch vs. hosts in kernelmode).

---

AdBlock's SLOWER vs. hosts: http://superuser.com/questions...

---

What's best?

APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

&

It's safe per 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...

+

a 32-bit model too https://www.virustotal.com/en/...

... apk

Insane

[RalphOstrander]

Just run a VM and hide it 7 or dir deep. Delete VM ware from your system and put it back where ever you go keep a copy of VMware on a share somewhere, hell you can keep the image there also.

FDE without knowing the password

Use Full Disk Encryption and have someone set the password before travelling. If you're stopped, then destroy the laptop without ever accessing the data (bugs etc). If you're not stopped, then when you are ready to actually use it, get the password from them. No matter what level of coercion they use with you, they won't get the data.

XKCD 538

Invent all the crypto. It wont keep you safe from a sadist

thumb up the butt?

[issicus]

just take anything important and place it in your butt hole.

Re:thumb up the butt?

Much easier with microSD flash media these days. Old film canisters are good for "placement".

That's where I keep the real remote-access OS.
Never take anything important on the machine and always boot off media you've controlled.

My cheap chromebook only has 16G of onboard storage for that reason. For travel, it is a 100% fresh ChromeOS install. Connect a small USB3 drive with x2go-client on a Linux OS and only use remote access.

Re:Laptops run LUDDITE software.

lololol

Re:I default boot to Windows for TSA, customs cler

Maybe they like to touch the genitals of nervous people whilst holding a gun with the other hand?

security

i would just say, secure it with a paradox.

Re:security

But not at the expense of the moment.