Hackers, Activists, Journos: How To Build a Secure Burner Laptop

sarahnaomi writes to describe a presentation by security researcher Georg Wicherski at the t2'15 infosec conference; Wicherski outlined in his talk several steps that could be taken to render an ordinary Chromebook immune (or at least very, very resistant) to malware attacks, even when an adversary has physical access to it. These customizations make it difficult for an attacker to use any sort of turnkey solution, presenting a barrier to any off-the-shelf equipment attackers might use. At border crossings, Wicherski said possible attackers might have "an appliance, that comes with a manual, and low-skilled operators." By using a setup that is not very common, the border cops might not know what to do.

If border cops don't know what to do,

[fustakrakich]

They'll just keep the device. "Burners" are almost as good as the one time pad.

Re:If border cops don't know what to do,

[sexconker]

No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.

Re:If border cops don't know what to do,

[myowntrueself]

No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.

Except it won't be illegal because it'll be at the border.

Re:If border cops don't know what to do,

[U2xhc2hkb3QgU3Vja3M]

To make sure it's not obvious, keep a few gigabytes of regular porn, 3d porn, hentai porn, furry porn, tentacle porn and futanari porn.

Fight for your bitcoins!

Re:If border cops don't know what to do,

[U2xhc2hkb3QgU3Vja3M]

Okay, so that means no visit to the U.S.A. We've seen what your own government does to its own people, we don't want to set foot there.

Fight for your bitcoins!

Step 1

Install APKs host file generator so you don't have people tracking you by your DNS lookups.

Where's the link?

[cruff]

I don't see a link to said presentation...

Re:Where's the link?

[MagicM]

You see where it says "vice.com" in the header? You're supposed to click there.

Yeah, I don't want to either.

Security by Obscurity

I certainly won't read the RTFA, as an AC, but this seems silly. You are saying that by using obscure hardware and software, attackers won't know how to put their off-the-shelf industrial malware on your equipment? Anyone with such a large-scale operation will either find another way in, or be eclipsed by all the malware that gets there by other means anyway.

they know EXACTLY what to do

might have "an appliance, that comes with a manual, and low-skilled operators." By using a setup that is not very common, the border cops might not know what to do.

Oh, they know exactly what to do.

"..border guards confiscated his laptop and phones and detained him, telling him he would not be allowed to leave until he gave them his passwords."

This is a solved problem as far as they are concerned. You sit in a room until you unlock the device for them. Lawyer? You don't get no steenkin' lawyer.

Re:they know EXACTLY what to do

[Lumpy]

Not a problem officer..... It's password99.

and it boots to a clean sanitized setup. "please don't look at my manuscripts in there, I'm not a very good writer and get embarrassed of someone reads my book I am writing. "

and I am on my way.

Honestly, if you are not smart enough to have your real information safely elsewhere then you deserve to be detained. microSD cards are a freaking dime a dozen and can easily be hidden anywhere. Hell put one under the stamp on a letter to yourself at your destination.

Re:they know EXACTLY what to do

Someone didn't RTFA.

This isn't about stopping the border police from reading the contents of your laptop, it is about stopping them from installing spyware in the BIOS. The described mechanism involves clipping a pin off the flash chip rendering it read-only. No regular border cop is going to know how to deal with that and no amount of rubber-hose decryption is going to undo it.

Like all security measures, it isn't about being 100% secure, it is about raising the costs to the attacker.

Re:they know EXACTLY what to do

[Firethorn]

and it boots to a clean sanitized setup. "please don't look at my manuscripts in there, I'm not a very good writer and get embarrassed of someone reads my book I am writing. "

Better yet, a little legal heterosexual porn(think playboy tasteful), some mp3s, some movies, they're satisfied that you're an 'average' joe and you go on your way. You don't want a perfectly 'sanitized' laptop like having a perfectly clean apartment would have the cops wondering and looking for a second residence.

Re:they know EXACTLY what to do

[Technician]

For travel, I have considered simply traveling with a Raspberry Pi with no thumb drive and a fresh install of Raspberian. The TSA is welcome to examine it in it's entirety including making a mirror copy of the micor SD. Be upfront with them that the device is entirely devoid of any personal information and contains only the fresh boot image. After reaching your destination, you can SSH into your personal files and buy a local thumb drive. Upon return, replace the micro SD with a fresh copy againi.

If you don't travel with the info, there is no info to be stolen by the governments. Be upfront and honest about it.

Re:way to go DHI

[AmiMoJo]

It's a shame that TFA seems to suck, because this is a big concern for a lot of people. I encrypt my laptop, but at the border your rights are severely diminished and they can do all sorts of nasty things to you. So far the best option seems to be to carry an innocuous laptop with nothing of interest on it, and mail myself an encrypted flash drive with the real OS and data on it.

Even with a phone you can do a "nandroid" backup (on Android) of the real OS, wipe it back to factory and then restore when you reach safety.

Re:way to go DHI

[myowntrueself]

It's a shame that TFA seems to suck, because this is a big concern for a lot of people. I encrypt my laptop, but at the border your rights are severely diminished and they can do all sorts of nasty things to you. So far the best option seems to be to carry an innocuous laptop with nothing of interest on it, and mail myself an encrypted flash drive with the real OS and data on it.

Even with a phone you can do a "nandroid" backup (on Android) of the real OS, wipe it back to factory and then restore when you reach safety.

And that backup goes online, encrypted and you download it once you are across the border.

Done that with laptops as well.

I default boot to Windows for TSA, customs clerks.

[raymorris]

Personally, when I vacationed in Jamaica I set the bootloader to default to Windows rather than a serious OS with anything important on it. That should take care of 99% of TSA employees making $12/hour, and front-line customs clerks. The people I dealt with were probably working at Taco Bell the month before, they weren't top-tier forensic scientists.

Re:WTH?

[CCarrot]

A Chromebook is not a laptop!

Agreed, but from TFA, seems like they were chosen because they're cheap (in every sense of the word), therefore people would feel more comfortable using them as 'burner' laptops (or pseudo-laptops).

Why do you need a "secure" burner laptop?

[pla]

Why do you need a "secure" burner laptop?

I don't mean that in the "if you have nothing to hide..." sense, but rather, the whole point of a "burner" comes from the fact that it doesn't have anything to hide on it. You pretty much just revert it to OEM condition before each trip, and if some hostile government-authorized terrorist agency like HSI (formerly ICE) decides to steal it from you (or hell, if a random thief decides to steal it from you), you haven't lost anything but the hardware.

Hey, I completely agree that we shouldn't have to put up with that sort of bullshit or take steps like prepping a burner laptop every time we want to go on vacation; but "securing" it just makes it look even more tempting to the idiots at the gates; similarly for setting up a UI that Officer Shout-and-Taze doesn't immediately recognize as Windows or OS X or Android or iOS.

If you want to make a stand, I fully support you. But if you just want to get on with your day, spare yourself from your own cleverness, and just restore to factory default and give it a highly secure password like "password".

Re:Why do you need a "secure" burner laptop?

[aaaaaaargh!]

I think the idea of this admittedly cryptic article is to have a laptop that is temporarily secure against certain spyware modifications so it can later still be used to download the encrypted data on the other side of the border. The alternative is to buy a new computer every time you travel.

Re:Journos?

[xxxJonBoyxxx]

>> What is a Journos?

It looks like a Mentos, but it always tilts slightly to the left and has a yellow tint.

The tubgirl defense

[TiggertheMad]

Interesting resistance tactic - load your laptop with all sorts of disturbing and upsetting videos to cause mental anguish to any government viewers, while concealing and heavily encrypting anything real data. Remember, someone has to look at all this data to make sense of it....

The government can seize and spy on my data, but they better be prepared to go to counseling afterwards..

Re:Nicely done, connecting to NSA

[Noryungi]

You are so naive it's almost painful.

Of course, the NSA is going to go after you if you are an American journalist. The thing is, they are not allowed to. What a quandary!

What can you do in that case, if you work at the NSA? You just send a memorandum to your good friends at GCHQ, and they will gladly do the spying for you!

And, of course, if GCHQ needs some juicy info on a UK citizen, NSA is happy to oblige. Scratch my back, I'll scratch yours, etc.

Repeat with all members of the "five eyes" (NSA, GCHQ, CSE, ASD,and GCSB) and you cover up pretty much the entire world. But, again, NSA is not "officially" spying on US citizens, no sirree.

7200 RPM SSD,

[goombah99]

Stand back man that SSD is whipping around.