Slashdot Mirror
Ask Slashdot: Securing a Journalist's Laptop Against a Police Search?
Bruce66423 writes: In the light of the British police's seizure of a BBC laptop what is the right configuration and practices to ensure that such a seizure provides zero information to the cops? This post from Thursday might be a good place for some ideas, but that one's expressly about securing a Chromebook; what would you advise for securing a more conventional laptop? (Or desktop, for that matter.)
Don't store your information on the laptop in the first place. Just use it as an editing and remote-access tool over a secure connection or to a USB stick you don't expose to search procedures.
That's about the best you can do, short of memorizing everything.
Encrypt the laptop, and you could lose it. Just let them search it top to bottom, then when they're done and you're wherever you're going, wipe the hard drive, reinstall your OS, and carry on.
It's really not a great idea to carry information you need to be secure around with you.
I've fallen off your lawn, and I can't get up.
Whatever kind of encryption you use should have the ability to use alternative passwords - an unlimited number of them. So enter password (A) reveals your tax records, password (B) gets pictures of naked 30 year old men. But enter password (C) and you get clear pictures of Mr. Cameron violating a dead pig. When they demand your password, give them password A. If they get all torture-ish you give them password B.
excitingthingstodo.blogspot.com
Best bet is simply not to have anything for them to find. Store your data on a thumb drive (that you'll carry or ship separately) or upload it to your own server or a service like Google Drive or Dropbox, encrypting it or not first, all depending on how sensitive the information is. Delete it or secure-wipe it or wipe the whole drive and do a complete factory restore on your laptop depending on how invasive you think the search might be. Then let the cops search all they want, they won't find what isn't there.
NB: Linux makes a better platform for this than Windows. On Windows bits of your files can end up in the oddest places to be found during a scan of the drive. On Linux it's easy to set up a separate partition where all your data will go and be certain it didn't leave traces anywhere else, and that partition can be secure-wiped and reformatted without messing up the OS installation in the process. Plus the cops are less likely to be familiar with Linux, and you can play the dumb-non-techie card of "I dunno, it's whatever the guys in IT put on it. I just follow the instructions to run my programs and everything works.".
In the British Police-State, that is not possible, unless the journalist is willing to go to prison for failing to disclose an encryption password. Forget about "plausible deniability", that is for kids and morons. It does not work in practice.
The time to protect essential freedoms in Britain is past, and the battle (pathetic though as it has been) is lost. Anybody now trying to protect itself will just be classified as a "terror supporter" and that is it. Expect concentration camps to be opened soon.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
On your Laptop there is a normal Windows installation which is not used for work. Only for stuff like browsing the web in the evening at the hotel. mails to the kids, etc.
On a USB stick on the keychain there is a copy of Tails https://tails.boum.org/index.e...
You rent some VPS or root server in a country of your choice, under a different name, preferably paid via cash. This is the place where all the data for work is stored. encrypted.
This server you only access via Tails which uses Tor by default.
If you can't do this, you put an encrypted VM onto your Laptop which happens to have the data for work and you write your stuff or access the web for work related research only in this VM. Again using a distro like Tails.
1. Use Linux for the simple reason you can separate partitions. Create a separate /home partition that mounts on an encrypted removable drive, like an Ironkey.
2. Do all work on the removable drive.
3. Never cross a border with both the laptop and the removable drive. Ship out courier the drive separately and carry the laptop.
This way there is nothing on the laptop to be searched or seized.
Learning HOW to think is more important than learning WHAT to think.
The key is to have no way to decrypt the laptop, then they can't force you to. Make sure someone else has the key, preferably in another jurisdiction (i.e. country).
That could land you in prison in the U.K. Legislation in that country required you to decrypt data for authorities on demand. Losing or destroying the keys is no excuse.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
1) Make one of these: https://hackaday.com/2015/10/1...
2) Hand everything over. Warn the bad guys that if they try to use your USB stick, it'll fry their computer.
3) When they fry their computer, ask if they have learned their lesson about taking you on your word.
4) Be cooperative. You already won the battle of wits, be a gracious winner.
5) Your data was on your obscure self-hosted webserver elsewhere in the first place.
Liberty - Security - Laziness - Pick any two.
Back when I was at Kazaa many years ago, I kept all my files in a BestCrypt-encrypted drive, and all sensitive emails were PGP-encrypted. I was feeling pleased - if anyone got hold of my computer, there was nothing to see. But then one day our office was raided in a search discovery order, and all that time spent encrypting things came to naught, if I refused to hand over anything it would have been contempt of court. And so I printed out thousands of emails in one long continuous unformatted strip... that was about as far as I could go. I did consider that I could have gone one step further and used BestCrypt's feature that lets you create an encrypted drive that's actually two partitions - give out one key and all you see is nice set of clean files, plus a whole lot of random bytes. It's something to consider, but you're living dangerously if it's a court order. BTW, there's discussion here about keeping data in the cloud - another tempting option. Broadly the law can compel you to hand over any data "In your control or possession", where possession is defined as including the means to retrieve remote data. So there would need to be zero knowledge of having that remote data at all. Just sayin'
I personally use Windows EFS on my entire c:\user\myname folder, and that whole folder is backed up to a zero knowledge storage provider. I do this for my desktop and laptop.
Unless you save documents outside of that folder (which by default, 99% of all applications store it somewhere in that folder) then it's not likely to be retrievable.
AFAIK, Windows EFS uses AES-256 as a block cipher, with RSA-2048 or ECC-256 for key escrow (you can do up to RSA-16,384, or ECC-512.) AFAIK not even the NSA is able to crack either of those. The weakest link would be your password, with shorter passwords being easy to break (complexity, i.e. mix of case, special characters, numbers, isn't anywhere near as important as length) so use one that's 15 characters or longer.
The only reliable way to protect your data from government thugs is to change the government such that there are no government thugs wanting your data.
Anything else is a band-aid and temporary at best.
Strat.
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
The only reliable way to protect your data from government thugs is to change the government such that there are no government thugs wanting your data.
Anything else is a band-aid and temporary at best.
Strat.
That is the final step in the process.
Step one is getting people to realize there's a problem.
And that's why journalists need to have their information protected, and that's why the goons want to get their hands on it.