![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
Travel Tips: computer security
2008-03-18 08:30 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mdlbear There's a really great post on tips for airplane travel over on ![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif){kind=small}
sweetmusic_2 that I've been meaning to point to for a long time.
Go read it, especially if you haven't traveled by air much.
This post isn't very closely related at all; it just seemed like a convenient excuse for a link. This post is more directly related to this post on Techdirt.com and related matters, which point out that customs agents on both sides of the US/Canadian border are searching and in some cases seizing laptops and cell phones.
OK, we all know that keeping sensitive data on your laptop is a bad idea. And we all know that you can encrypt your home directory -- at least on Linux and Mac. And you can use something like TrueCrypt to make a complete virtual encrypted disk. Both will protect your privacy pretty well, but if your laptop gets stolen or seized, you still lose the use of your data. Similarly, you can set a master password in Firefox, but it's probably not going to protect your login cookies, it might be breakable, and customs might be able to force you to reveal it in any case.
So here's a better idea: don't have secrets anywhere on your computer when you cross the border. This is the software equivalent of taking all the metal out of your pockets and using a piece of rope for a belt as you go through the security checkpoint.
This relies on having all of your private data accessible via the web. It has to be either encrypted, or on your home server and accessible through an encrypted tunnel like ssh. Because your connections may be slow, it also helps to minimize what you really need: basically your keychain file(s) and your ssh and gpg private keys.
The private keys will all be protected by long passphrases anyway, if you're doing it right. You can encrypt your browser password file with a master password as well. Your IM client probably keeps your account passwords around; find that file too. If you keep a separate file of website passwords, as I do, you should encrypt that. Now put them all in a directory, zip it up, and encrypt the zip file. Note: do not use your gpg private key for this: it's not going to be on your machine when you need to decrypt the secrets! Use AES and a long passphrase.
Mail the resulting zip file, as an attachment, to yourself on any convenient webmail account. Or put it on a website that you control. If you want to be really safe, use steganography to put it inside an image.
Now delete all your secrets, using a secure deletion program that overwrites all the files with random bits before actually deleting them. Clear your browser cache, history, and cookies, again with a secure deletion program. Go.
When you get to your destination, retrieve the secrets file, decrypt and unzip it, and put everything back in the directories where they belong.
I'll be doing some international traveling in a couple of weeks; by that time I'll have some scripts I can post for you.
no subject
Date: 2008-03-18 03:44 pm (UTC)Yes, I hold all but one of these jerks in contempt. (Which one do I not? The one that gave poor Seanan a pass the other day wearing the chainsaw t-shirt.)
no subject
Date: 2008-03-18 05:06 pm (UTC)I'd still want the data encrypted, and I'd leave a safe hard drive in the laptop to divert suspicion. So at that point you don't have to boot off the USB drive (which some older machines won't do in any case), just mount it as an encrypted filesystem.
no subject
Date: 2008-03-18 06:13 pm (UTC)Or you could put a naked Puppy on the HDD and have your encrypted personal data on the stick...
There are many ways to do it. If we don't all do it the same way it will confuse the bastards.
no subject
Date: 2008-03-18 07:33 pm (UTC)I'm happy with putting a fully-loaded desktop distro on the HDD, with a big pile of data pulled off of public websites. Totally legit, totally legal, totally OK if it all goes blooey. I can even get useful work done with it.
no subject
Date: 2008-03-19 12:13 am (UTC)Also, it's a balance between how valuable the privacy of the information is and the likelihood of it being seen/stolen. It's not just security you have to worry about. A year ago our VP *left* his laptop case at the TSA on the belt and didn't realize until he landed in another city. He thought it was stolen. Fortunately it got back to him but it was a good lesson for him.
In any case, I think the easiest thing is to encrypt the data you most value and put it on your keychain on a USB stick. Next best is to burn it to a disk and use a sharpie to label the disk "dad's guitar songs". Nobody is going to load that disk. ;)
no subject
Date: 2008-03-19 01:30 am (UTC)The keychain solution works well, but I'd still want to have a backup on the web in case it gets lost/stolen/seized.
no subject
Date: 2008-03-19 05:58 am (UTC)http://citp.princeton.edu/memory/ - it was all over the web a few weeks back,
but I just wanted to note (proudly) Nadia's involvement.
http://barbwired.com/nadiaweb/nawl/
-- Andy
no subject
Date: 2008-03-19 01:39 pm (UTC)