Slashdot Mirror
Hackers, Activists, Journos: How To Build a Secure Burner Laptop (vice.com)
sarahnaomi writes to describe a presentation by security researcher Georg Wicherski at the t2'15 infosec conference; Wicherski outlined in his talk several steps that could be taken to render an ordinary Chromebook immune (or at least very, very resistant) to malware attacks, even when an adversary has physical access to it. These customizations make it difficult for an attacker to use any sort of turnkey solution, presenting a barrier to any off-the-shelf equipment attackers might use. At border crossings, Wicherski said possible attackers might have "an appliance, that comes with a manual, and low-skilled operators." By using a setup that is not very common, the border cops might not know what to do.
They'll just keep the device. "Burners" are almost as good as the one time pad.
“He’s not deformed, he’s just drunk!”
Install APKs host file generator so you don't have people tracking you by your DNS lookups.
I don't see a link to said presentation...
I certainly won't read the RTFA, as an AC, but this seems silly. You are saying that by using obscure hardware and software, attackers won't know how to put their off-the-shelf industrial malware on your equipment? Anyone with such a large-scale operation will either find another way in, or be eclipsed by all the malware that gets there by other means anyway.
You're just making yourself a target for these border cops if you have a "suspicious" laptop. Get ready to be held against your will and interrogated.
I'd think there's better, more subtle ways to protect yourself.
The links provided say nothing about what is discussed in the summery. I realize this being slashdot no one reads the article but come on. One is the definition of the term "turnkey" off of wikipedia, another is just the core boot home page, and the third is a two year old posting on Bruce Schneier web site about yet another NSA exploit. None of the links connect to the summery at all.
could we at least post the link in the summery somewhere?
might have "an appliance, that comes with a manual, and low-skilled operators." By using a setup that is not very common, the border cops might not know what to do.
Oh, they know exactly what to do.
"..border guards confiscated his laptop and phones and detained him, telling him he would not be allowed to leave until he gave them his passwords."
This is a solved problem as far as they are concerned. You sit in a room until you unlock the device for them. Lawyer? You don't get no steenkin' lawyer.
Guess what people the NSA isn't going after with something as close-held as the linked exploit?
"Hackers, Activists, and Journos"
I know that doesn't really seem to matter to people, and that it's easier to cherry-pick contextless, misunderstood, fringe examples that are believed to prove some "point", or isolated examples of outright abuse and extrapolating, without any proof whatever, that to mean it is obviously systemic and widespread, instead of realizing that NSA's chief mission, as a foreign intelligence agency, is foreign signals intelligence collection, and that US adversaries use the same phones, laptops, networks, systems, devices, services, and providers as you.
And, stunningly, we still develop ways to actually target and collect against them.
Mind-bending, I know.
It's a shame that TFA seems to suck, because this is a big concern for a lot of people. I encrypt my laptop, but at the border your rights are severely diminished and they can do all sorts of nasty things to you. So far the best option seems to be to carry an innocuous laptop with nothing of interest on it, and mail myself an encrypted flash drive with the real OS and data on it.
Even with a phone you can do a "nandroid" backup (on Android) of the real OS, wipe it back to factory and then restore when you reach safety.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Old laptop, boot from a Linux CD. all done. short of hardware inside it to spy on you it's 100% hacker proof. You can find cheap burners from almost anywhere, just boot from your Linux live CD and away you go.
Really has the state of "hacking" degraded so far that this kind of shit is considered talk worthy?
Put a vanilla install of Windows on an empty partition and set grub to boot it by default before you hand your laptop to border guards. They can have their fun with it before handing it back, then you wipe the partition when you get where you're going. You don't ever even have to boot it up to let their malware do its thing.
It's a shame that TFA seems to suck, because this is a big concern for a lot of people. I encrypt my laptop, but at the border your rights are severely diminished and they can do all sorts of nasty things to you. So far the best option seems to be to carry an innocuous laptop with nothing of interest on it, and mail myself an encrypted flash drive with the real OS and data on it.
Even with a phone you can do a "nandroid" backup (on Android) of the real OS, wipe it back to factory and then restore when you reach safety.
And that backup goes online, encrypted and you download it once you are across the border.
Done that with laptops as well.
In the free world the media isn't government run; the government is media run.
Personally, when I vacationed in Jamaica I set the bootloader to default to Windows rather than a serious OS with anything important on it. That should take care of 99% of TSA employees making $12/hour, and front-line customs clerks. The people I dealt with were probably working at Taco Bell the month before, they weren't top-tier forensic scientists.
Where's TFA?
blindly antisocialist = antisocial
Someone couldn't get a TSA job and is stuck at Taco Bell.
A Chromebook is not a laptop!
Agreed, but from TFA, seems like they were chosen because they're cheap (in every sense of the word), therefore people would feel more comfortable using them as 'burner' laptops (or pseudo-laptops).
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
I really wish i had as much free time as you do
Why do you need a "secure" burner laptop?
I don't mean that in the "if you have nothing to hide..." sense, but rather, the whole point of a "burner" comes from the fact that it doesn't have anything to hide on it. You pretty much just revert it to OEM condition before each trip, and if some hostile government-authorized terrorist agency like HSI (formerly ICE) decides to steal it from you (or hell, if a random thief decides to steal it from you), you haven't lost anything but the hardware.
Hey, I completely agree that we shouldn't have to put up with that sort of bullshit or take steps like prepping a burner laptop every time we want to go on vacation; but "securing" it just makes it look even more tempting to the idiots at the gates; similarly for setting up a UI that Officer Shout-and-Taze doesn't immediately recognize as Windows or OS X or Android or iOS.
If you want to make a stand, I fully support you. But if you just want to get on with your day, spare yourself from your own cleverness, and just restore to factory default and give it a highly secure password like "password".
Remember, don't take the chance that companies' legitimate software will infect you.
What is a Journos? (sarcasm: it means the editor is a lazy typist)
-SaNo
WTF? this is just a link to a logo for COreboot. no explanation of what it is or what makes it different other than just saying "its secure".
Some drink at the fountain of knowledge. Others just gargle.
Coincidentally slashdot deals has a banner ad for the christopher walken (Pulp fiction) solution to taking your computer across the boarder privately.
https://deals.slashdot.org/sal...
Which is just the right size to hide any place you could fit a wristwatch.
Some drink at the fountain of knowledge. Others just gargle.
And yet you have enough free time that you seem to know about his multiple posts about "apps" and enough free time to post a reply to his nonsense.
Fight for your bitcoins! (sorry, no app)
Nendoroid backup?
When I need a pseudo-laptop, I prefer to use a P-P-P-Powerbook!
Fight for your bitcoins!
He was only off by a little bit. TSA agents weren't working at Taco Bell the month before because they were working on their AA degree full time. The point is they aren't even EE/CECS/CIS/IT generalists with exposure to computer security fundamentals. To them, any laptop that isn't in some kind of configuration achieved by a default installation of off-the-shelf software might as well be alien technology.
Err... isn't it standard procedure to extract and physically clone the HDD prior to examination, then attempt to crack encryption via rainbow tables?
If you've used a sufficiently long passphrase and sufficiently well written encryption software, they just throw you in jail (assuming we're talking about law enforcement) until you give up the keys.
It's much easier to just use a standard image and use remote access tools to work on a virtual computer that's not within the jurisdiciton/reach of the people you're worried about.
Interesting resistance tactic - load your laptop with all sorts of disturbing and upsetting videos to cause mental anguish to any government viewers, while concealing and heavily encrypting anything real data. Remember, someone has to look at all this data to make sense of it....
The government can seize and spy on my data, but they better be prepared to go to counseling afterwards..
HA! I just wasted some of your bandwidth with a frivolous sig!
My biggest concern has always been and still is about someone identifying who created/edited a file on my drive. I routinely have to send documents anonymously which I have created and I am always worried about one document having my login name on of my machines attached to the meta data.
It's one thing if you have a few megabytes of documents, however what if you have sensitive video or something in the Gigs? A 64GB card isn't too expensive, where ~30GB worth of bandwidth might not be readily available out of wherever you're transiting from.
Not to mention that if you're working with a paranoid government(and sadly the USA qualifies today), they might note the data traffic and follow up on that.
I don't read AC A human right
Ok, I'm assuming you mean the US border. Has there been any serious documented abuse or "nasty" things happening to people with a laptop trying to come back into America?
This is all news to me...
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
The UK is pretty bad. In any case, most borders are the same. You are going to miss your plane to get sent home, what are you going to do?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Stand back man that SSD is whipping around.
Some drink at the fountain of knowledge. Others just gargle.
Why not, if you're going somewhere that you're afraid border agents will pull this sort of bullshit, just have your laptop shipped separately via something like FedEx? Then there's nothing for them to search. Don't keep anything important on your phone, or don't take your phone with you, or take a disposable phone that has exactly nothing on it anyway.
So far as these stories that I hear about being detained and told you're not leaving until you provide passwords? If I'm in a foreign country then I start demanding to see or be taken to the U.S. Embassy, immediately, long and loud until they either give up or kill me. Under no circumstances do I provide passwords of any kind for anything to anyone, ever.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
What a completely stupid idea riddled with supposition.
There's an old rule to traveling abroad. Don't take anything with you that you do not have to take, and conversely don't bring back anything you don't have to. This idea would also encompass the data on your personal devices. I also use throw away passwords and passcodes that are secure, but not any I would ever use for anything else. I VPN to connect to the Internet whenever I need to and keep my online activity to a necessity based minimum.
As was suggested above, backup the devices before you leave, wipe them to factory defaults, load whatever data you can't do without for the trip and don't be a smartass at any border crossings. You'll have no problems. I've been doing this for more than a decade now and have had zero incidents.
I for one sure don't. I'm just here to troll and annoy people in general.
Website Just Down For Me? Find out
Sounds like a bunch of crapp to me!
And unlike other ad-blocking software, your HOSTS software can't block your pathetic spam posts. You are shooting yourself in the foot with every post.
Just run a VM and hide it 7 or dir deep. Delete VM ware from your system and put it back where ever you go keep a copy of VMware on a share somewhere, hell you can keep the image there also.
just take anything important and place it in your butt hole.