Re: [liberationtech] Travel with notebook habit
On 12/28/2012 12:46 PM, Maxim Kammerer wrote: On Fri, Dec 28, 2012 at 10:49 AM, Julian Oliver jul...@julianoliver.com wrote: I've been extensively questioned at the border on a few occassions over the years /because/ my laptops don't have a Desktop as such, no icons either. Both my arms were grabbed at the Australian border as I reached to type 'firefox' in a terminal, to start the browser in an attempt to show them a normal looking environment. I think that in such a discussion, it is necessary to distinguish between border guards wanting to look at your data, and border guards wanting to make sure that your laptop is not a bomb (given the limited training they receive on the subject). The situation that you describe looks more like the latter than the former (although clearly there might be omitted details). For the case of Border guards that want to have a look at your data there's an article from schneier: http://www.schneier.com/blog/archives/2008/05/crossing_border.html You can also use a normal (fake | Windows) OS on your standart HDD and a hidden OS on a mSATA SSD, you can use a 16 GB disk with a small and encryted Ubuntu distribution. If you set the boot standart to your standart HDD then you have a good chance to get through the control. Another possibility is to combine this with a hidden truecrypt container, no one can force you to write down a password to a container that is probably not even existing. You can't prove that. If this is to complicated for you, you can still install a OS on a small USB stick. Or a SDHC card. It's not that expensive and if you have an USB stick fixed at your keyring I think no one will notice. The most secure thing would be a Live CD and a hidden container on an USB / SDHC device. So they can't infiltrate a system that is not even installed (backtrack and stuff have truecrypt onboard) and they can't force you to open that hidden container (because you only know if there is a container when you hit the right password. When nobody performs a hardware hack on your SATA or something then nothing can happen. If they keep your notebook for some minutes | hours | days then you should examine it before use.. It's also helpful to check the md5 checksum of the boot partition; you can have a virus / keylogger in there. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Travel with notebook habit
On Fri, Dec 28, 2012 at 10:49 AM, Julian Oliver jul...@julianoliver.com wrote: I've been extensively questioned at the border on a few occassions over the years /because/ my laptops don't have a Desktop as such, no icons either. Both my arms were grabbed at the Australian border as I reached to type 'firefox' in a terminal, to start the browser in an attempt to show them a normal looking environment. I think that in such a discussion, it is necessary to distinguish between border guards wanting to look at your data, and border guards wanting to make sure that your laptop is not a bomb (given the limited training they receive on the subject). The situation that you describe looks more like the latter than the former (although clearly there might be omitted details). -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Travel with notebook habit
..on Thu, Dec 27, 2012 at 09:51:02PM +0100, Jerzy Łogiewa wrote: I am just reading this, http://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html Can we start some discussion about good notebook travel habit? I have read Jacob Appelbaum say he does not travel with _ANY_ drive in notebook, and this seem to be extreme. Without removing drive, what is the best habit for FDE for prevent attacks as Schneier describe? Full power-down? No hibernate file? Any other things? Well, it's not the disk but what's on it. I don't trust closed platforms like OS X or Windows systems. Take what I write with a grain of salt but here's my general approach on a GNU/Linux system: First tar up all the documents/files you need at the destination, note the md5sum and then securely copy them to a server you trust. Then start an sshd instance on port 443 (https) on the file server, so as to get around standard filtering on port 22 on the other end. Even some hotels filter against ssh but none do 443. Then set up two bootable stock Linux distributions with *full disk encryption* on fast USB sticks andsetup user accounts. Ensure tsocks, macchanger and Tor Browser Bundle, ssh, nmap and a few other basics are on the machine. Install Do Not Track plugin (or similar) alongside a User Agent Switcher. Take the actual hard disk out of the machine. Put one stick in your pocket and another in your check-in luggage. Take a few external USB wireless internet adapters with you. Take the plane/train/car over the border. On arrival and when you know you have an Internet gateway, plug one of the sticks in and boot up and get online using the external USB wireless adapter. If you have a link using Ethernet cable (RJ45) with an onboard Ethernet adapter then use it but only if you change your MAC address. Use macchanger to do this like so: sudo ifconfig eth0 down # now plug in Ethernet cable sudo macchanger -A eth0 # A random hardware address will be assigned sudo ifconfig eth0 up sudo dhclient eth0 Now securely copy all the files back onto the local machine as a torified instance (only with tsocks to avoid UDP and DNS leaks) something like so: cd torify scp -P 443 y...@remotehost.net:/path/to/files.tar.gz . md5sum files.tar.gz # check it's the real deal against noted md5sum earlier tar xvzf files.tar.gz Avoid using any web services that track you across sites (at the least use Do Not Track plugins and the like). Change your User Agent in the Torified browser you use to something ubiquitous like the Android browser (most popular smartphone by 3x in most countries). Always use SSL when connecting to mail services and the like. Before you fly again destroy that USB stick physically (smash with hammer and then burn). Destroy the USB network adapter you purchased also. Buy another USB stick, copy from the other stick you have (use 'dd' or 'cpio') and fly. I'm sure there's a far more user friendly approach that's sane enough out in the field. One can't expect journalists to learn the CLI (albeit I think anyone that needs to trust their machine, isolate and mitigate network threats (among others) ought to!). Cheers, -- Julian Oliver http://julianoliver.com http://criticalengineering.org -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Travel with notebook habit
On Thu, 2012-12-27 at 23:56 +0100, Radek Pilar wrote: Full HDD encryption (including swap space and hibernate file) and powered down or hibernated (s2disk) machine is the only way to go. Expect that if you're a target of state oppression that your laptop WILL be taken away from you for hours at border crossings. This was a routine occurrence for me between 2001 and 2006 or so. Fortunately for me, I didn't warrant the big guns: the customs officers involved usually reported their techs being completely thwarted/baffled by my Linux screensaver. However, it would be fairly straightforward to take apart a laptop, install a hardware keylogger inside, and reassemble it in that sort of timeframe, then recover your key and decrypt your laptop on your return trip. So unless you have some sort of tamper-proof seals on your laptop, you can't trust it once it leaves your physical possession. Also note that encryption is NOT sufficient. Canadian customs officials have demanded that I log in to my laptop so they could peruse my photo collection (?!) as a condition of entering the country and/or being released from customs. It's easy to imagine much more severe coercion if the authorities are actually interested in your data. Not having a hard disk is excellent defense against such coercive privacy invasions but encryption is not. Since then, I've personally started keeping a dummy, empty account on my laptop for basic deniability: nothing to see here but my travel itinerary, can I go now? But if the operational security or privacy of your laptop actually matters and you must take a laptop, I have to agree with Jacob: don't travel with your data. Same applies for cameras and phones. -- Mathematics is the supreme nostalgia of our time. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
