Hackers, Activists, Journos: How To Build a Secure Burner Laptop (vice.com) 139
sarahnaomi writes to describe a presentation by security researcher Georg Wicherski at the t2'15 infosec conference; Wicherski outlined in his talk several steps that could be taken to render an ordinary Chromebook immune (or at least very, very resistant) to malware attacks, even when an adversary has physical access to it. These customizations make it difficult for an attacker to use any sort of turnkey solution, presenting a barrier to any off-the-shelf equipment attackers might use. At border crossings, Wicherski said possible attackers might have "an appliance, that comes with a manual, and low-skilled operators." By using a setup that is not very common, the border cops might not know what to do.
If border cops don't know what to do, (Score:2)
They'll just keep the device. "Burners" are almost as good as the one time pad.
Re:If border cops don't know what to do, (Score:5, Insightful)
No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.
Re: (Score:1)
No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.
I hate to paint this kind of shit as a good thing, but the more abuses that are brought to light, the more chance of real enforcement reform.
Body cameras are merely a starting point.
Re: (Score:2)
you go first.
Re:If border cops don't know what to do, (Score:5, Insightful)
No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.
Except it won't be illegal because it'll be at the border.
Re: (Score:2)
Which covers 2/3 of the American people:
https://www.aclu.org/know-your... [aclu.org]
Re: (Score:1)
then illegally hold you without charging you anything
Hey, at least it's free!
Re: (Score:1)
Well, the idea behind the burner anyway is to avoid keeping anything important on it, so open it up for them. And for the border you should have burner email, facebook, etc accounts also that have nothing but cats and laughing babies, maybe some soft lingerie porn to avoid making it too obvious.
Re: (Score:3)
To make sure it's not obvious, keep a few gigabytes of regular porn, 3d porn, hentai porn, furry porn, tentacle porn and futanari porn.
Fight for your bitcoins! [coinbrawl.com]
The tubgirl defense (Score:3)
The government can seize and spy on my data, but they better be prepared to go to counseling afterwards..
Re: (Score:2)
Steganography and Tubgirl... You might be on to something.
Re: (Score:1)
...avoid making it too obvious.
This - Because human rights at American borders appears to be non existent: any non compliance strategy is not enough - so yes add porn, add MS windows, make your device look "normal" and compliant with their meddling.
If you do encryption and any other hardening then you must also make sure it's extremely difficult to tell that either your device is hiding something or make sure that their malware / backdoor etc appears to be successful... otherwise they can use the various non-technical ways to force you
Re: (Score:1)
Then they just look through the computer's history. Oh, work at xyz company as an admin? Better cough up your username and enterprise admin creds or you will be lighter a few fingers (if it is Third World country), or a record gun or drug haul might be found with the laptop (if a more developed country). Other countries like the UK will just have the magistrate demand access to the AD network, if no, tack three years on the sentence, ask again. After 20-30 times, that is effectively a life sentence unde
Re: (Score:1)
Re: (Score:2)
No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.
So that's the title of the sequel: 50 Shades of Grey on the Border
incomprehensiblearticle (Score:2)
WTF? this is just a link to a logo for COreboot. no explanation of what it is or what makes it different other than just saying "its secure".
Re: (Score:2)
You can't hack their logo, so I guess it's secure.
Fight for your bitcoins! [coinbrawl.com]
Re: (Score:2)
Came here wondering the same thing... where the fuck is the story/documentation/info?
Where's the "Homeland" style setup (Doctorow, not Fox)?
THe Christopher Walken Solution (Score:2)
Coincidentally slashdot deals has a banner ad for the christopher walken (Pulp fiction) solution to taking your computer across the boarder privately.
https://deals.slashdot.org/sal... [slashdot.org]
Which is just the right size to hide any place you could fit a wristwatch.
Re: (Score:3)
Okay, so that means no visit to the U.S.A. We've seen what your own government does to its own people, we don't want to set foot there.
Fight for your bitcoins! [coinbrawl.com]
Re: (Score:2)
Assuming AC is from the US is a little bit much. I think the AC was calling the US a third world country instead.
Step 1 (Score:4, Funny)
Install APKs host file generator so you don't have people tracking you by your DNS lookups.
Re: (Score:2)
Re:way to go DHI (Score:5, Interesting)
It's a shame that TFA seems to suck, because this is a big concern for a lot of people. I encrypt my laptop, but at the border your rights are severely diminished and they can do all sorts of nasty things to you. So far the best option seems to be to carry an innocuous laptop with nothing of interest on it, and mail myself an encrypted flash drive with the real OS and data on it.
Even with a phone you can do a "nandroid" backup (on Android) of the real OS, wipe it back to factory and then restore when you reach safety.
Re:way to go DHI (Score:5, Insightful)
It's a shame that TFA seems to suck, because this is a big concern for a lot of people. I encrypt my laptop, but at the border your rights are severely diminished and they can do all sorts of nasty things to you. So far the best option seems to be to carry an innocuous laptop with nothing of interest on it, and mail myself an encrypted flash drive with the real OS and data on it.
Even with a phone you can do a "nandroid" backup (on Android) of the real OS, wipe it back to factory and then restore when you reach safety.
And that backup goes online, encrypted and you download it once you are across the border.
Done that with laptops as well.
I default boot to Windows for TSA, customs clerks. (Score:5, Insightful)
Personally, when I vacationed in Jamaica I set the bootloader to default to Windows rather than a serious OS with anything important on it. That should take care of 99% of TSA employees making $12/hour, and front-line customs clerks. The people I dealt with were probably working at Taco Bell the month before, they weren't top-tier forensic scientists.
Re: (Score:1)
Someone couldn't get a TSA job and is stuck at Taco Bell.
Re: (Score:2)
Re: (Score:1)
He was only off by a little bit. TSA agents weren't working at Taco Bell the month before because they were working on their AA degree full time. The point is they aren't even EE/CECS/CIS/IT generalists with exposure to computer security fundamentals. To them, any laptop that isn't in some kind of configuration achieved by a default installation of off-the-shelf software might as well be alien technology.
7200 RPM SSD, (Score:3)
Stand back man that SSD is whipping around.
Re: (Score:2)
Re: (Score:2)
Ok, I'm assuming you mean the US border. Has there been any serious documented abuse or "nasty" things happening to people with a laptop trying to come back into America?
This is all news to me...
Re: (Score:2)
The UK is pretty bad. In any case, most borders are the same. You are going to miss your plane to get sent home, what are you going to do?
Where's the link? (Score:5, Insightful)
Re: (Score:3)
You see where it says "vice.com" in the header? You're supposed to click there.
Yeah, I don't want to either.
Re: (Score:2)
You see where it says "vice.com" in the header? You're supposed to click there.
Yeah, I don't want to either.
Sorry, I've learned that if vice.com is in the URL, it's not worth clicking on.
Re: (Score:2)
and the linked article still doesn't tell you "how to build a secure burner laptop", only that some people can and do do it.
Re: (Score:2, Insightful)
I'm skeptical about the whole thing. The base platform is a chromebook. By definition, chrome and anything developed by google has hooks which phone-home. If you are going to build a locked down system, you should probably start with something that doesn't already leak like a sieve and have build in backdoors and malware in the operating system.
Re: (Score:2)
Re: (Score:1)
http://xkcd.com/538/ [xkcd.com]
Re: (Score:2)
and the linked article still doesn't tell you "how to build a secure burner laptop", only that some people can and do do it.
You were expecting actual knowledge from a vice.com article?
Re: (Score:3)
A Chromebook is not a laptop!
Agreed, but from TFA, seems like they were chosen because they're cheap (in every sense of the word), therefore people would feel more comfortable using them as 'burner' laptops (or pseudo-laptops).
Re: (Score:2)
When I need a pseudo-laptop, I prefer to use a P-P-P-Powerbook! [knowyourmeme.com]
Fight for your bitcoins! [coinbrawl.com]
Security by Obscurity (Score:2, Insightful)
I certainly won't read the RTFA, as an AC, but this seems silly. You are saying that by using obscure hardware and software, attackers won't know how to put their off-the-shelf industrial malware on your equipment? Anyone with such a large-scale operation will either find another way in, or be eclipsed by all the malware that gets there by other means anyway.
Just making yourself a target (Score:1)
You're just making yourself a target for these border cops if you have a "suspicious" laptop. Get ready to be held against your will and interrogated.
I'd think there's better, more subtle ways to protect yourself.
Re: (Score:2)
I'd think there's better, more subtle ways to protect yourself.
You mean like encrypting your hard drive?
Personally, If I figured I had a lot to hide, I'd set up my machine to require manual intervention while booting. Set up a boot loader that silently boots to a decoy, throw away, it returns to it's initial state every time system that you use for things like web browsing and game playing. Encrypt all the rest of the partitions used for the *working* system where you keep the stuff you want/need to keep secure. You boot to the *real* system to work by knowing that
Links? (Score:1)
The links provided say nothing about what is discussed in the summery. I realize this being slashdot no one reads the article but come on. One is the definition of the term "turnkey" off of wikipedia, another is just the core boot home page, and the third is a two year old posting on Bruce Schneier web site about yet another NSA exploit. None of the links connect to the summery at all.
could we at least post the link in the summery somewhere?
they know EXACTLY what to do (Score:5, Insightful)
might have "an appliance, that comes with a manual, and low-skilled operators." By using a setup that is not very common, the border cops might not know what to do.
Oh, they know exactly what to do.
"..border guards confiscated his laptop and phones and detained him, telling him he would not be allowed to leave until he gave them his passwords." [boingboing.net]
This is a solved problem as far as they are concerned. You sit in a room until you unlock the device for them. Lawyer? You don't get no steenkin' lawyer.
Re:they know EXACTLY what to do (Score:4, Interesting)
Not a problem officer..... It's password99.
and it boots to a clean sanitized setup. "please don't look at my manuscripts in there, I'm not a very good writer and get embarrassed of someone reads my book I am writing. "
and I am on my way.
Honestly, if you are not smart enough to have your real information safely elsewhere then you deserve to be detained. microSD cards are a freaking dime a dozen and can easily be hidden anywhere. Hell put one under the stamp on a letter to yourself at your destination.
Re: (Score:2)
>> Hell put one under the stamp on a letter to yourself at your destination.
Physically mailing storage? really? why wouldn't you just encrypt it and copy it (scp or whatever) to some server then pick it up when you get wherever you're going?
If you're paranoid about cloud storage (which is probably quite reasonable) just run your own server at home.
Depends on the amount of data... (Score:2)
It's one thing if you have a few megabytes of documents, however what if you have sensitive video or something in the Gigs? A 64GB card isn't too expensive, where ~30GB worth of bandwidth might not be readily available out of wherever you're transiting from.
Not to mention that if you're working with a paranoid government(and sadly the USA qualifies today), they might note the data traffic and follow up on that.
Re: (Score:3)
and it boots to a clean sanitized setup. "please don't look at my manuscripts in there, I'm not a very good writer and get embarrassed of someone reads my book I am writing. "
Better yet, a little legal heterosexual porn(think playboy tasteful), some mp3s, some movies, they're satisfied that you're an 'average' joe and you go on your way. You don't want a perfectly 'sanitized' laptop like having a perfectly clean apartment would have the cops wondering and looking for a second residence.
Re: (Score:3)
For travel, I have considered simply traveling with a Raspberry Pi with no thumb drive and a fresh install of Raspberian. The TSA is welcome to examine it in it's entirety including making a mirror copy of the micor SD. Be upfront with them that the device is entirely devoid of any personal information and contains only the fresh boot image. After reaching your destination, you can SSH into your personal files and buy a local thumb drive. Upon return, replace the micro SD with a fresh copy againi.
If you
Re:they know EXACTLY what to do (Score:5, Informative)
Someone didn't RTFA.
This isn't about stopping the border police from reading the contents of your laptop, it is about stopping them from installing spyware in the BIOS. The described mechanism involves clipping a pin off the flash chip rendering it read-only. No regular border cop is going to know how to deal with that and no amount of rubber-hose decryption is going to undo it.
Like all security measures, it isn't about being 100% secure, it is about raising the costs to the attacker.
Nicely done, connecting to NSA (Score:2)
Guess what people the NSA isn't going after with something as close-held as the linked exploit?
"Hackers, Activists, and Journos"
I know that doesn't really seem to matter to people, and that it's easier to cherry-pick contextless, misunderstood, fringe examples that are believed to prove some "point", or isolated examples of outright abuse and extrapolating, without any proof whatever, that to mean it is obviously systemic and widespread, instead of realizing that NSA's chief mission, as a foreign intelligen
Re: (Score:1)
The NSA will investigate, hack, and bully whomever they please and you're deluding yourself if you think they don't. They may have been "conceived" as a "foreign" intelligence agency, but, as has been clearly shown, they LOVE collecting data on U.S. citizens more than anyone. They may not be specifically going after a particular collection of people, but piss them off and you'll feel their entire weight upon you in an instant. MORESO if you're a U.S. citizen rather than a foreign citizen. They're the govern
Re: (Score:2)
Since you know everything about them, perhaps you should start linking to ANY evidence of collection against US citizens.
I have heard lots of wild speculation from the Snowden leaks, but none of it has pointed to actual illegal collection.
Re: (Score:3)
You are so naive it's almost painful.
Of course, the NSA is going to go after you if you are an American journalist. The thing is, they are not allowed to. What a quandary!
What can you do in that case, if you work at the NSA? You just send a memorandum to your good friends at GCHQ, and they will gladly do the spying for you!
And, of course, if GCHQ needs some juicy info on a UK citizen, NSA is happy to oblige. Scratch my back, I'll scratch yours, etc.
Repeat with all members of the "five eyes" (NSA, GCHQ, CSE,
Really? (Score:1)
Old laptop, boot from a Linux CD. all done. short of hardware inside it to spy on you it's 100% hacker proof. You can find cheap burners from almost anywhere, just boot from your Linux live CD and away you go.
Really has the state of "hacking" degraded so far that this kind of shit is considered talk worthy?
Re: (Score:1)
short of hardware inside it to spy on you
You mean like modifications to the bios? Which can infect a running OS even after you boot from another device?
Re: (Score:2)
Re: (Score:1)
If that works, can't you just detect malware using the same method on the regular laptop? (Boot it via cd/usb and check bios and other firmware.) Seems to me a compromised bios could lie about it's checksum.
I guess if you always flashed all your bios/firmware back to defaults from read-only media after crossing a border, it might work...
Re: (Score:2)
Tails.boum.org
Tor, I2P, encryption
Why not dual-boot? (Score:1)
Put a vanilla install of Windows on an empty partition and set grub to boot it by default before you hand your laptop to border guards. They can have their fun with it before handing it back, then you wipe the partition when you get where you're going. You don't ever even have to boot it up to let their malware do its thing.
er... (Score:2)
Where's TFA?
Re: (Score:2)
On the title bar, where is says vice.com I agree, it is a little confusing.
Why do you need a "secure" burner laptop? (Score:5, Insightful)
I don't mean that in the "if you have nothing to hide..." sense, but rather, the whole point of a "burner" comes from the fact that it doesn't have anything to hide on it. You pretty much just revert it to OEM condition before each trip, and if some hostile government-authorized terrorist agency like HSI (formerly ICE) decides to steal it from you (or hell, if a random thief decides to steal it from you), you haven't lost anything but the hardware.
Hey, I completely agree that we shouldn't have to put up with that sort of bullshit or take steps like prepping a burner laptop every time we want to go on vacation; but "securing" it just makes it look even more tempting to the idiots at the gates; similarly for setting up a UI that Officer Shout-and-Taze doesn't immediately recognize as Windows or OS X or Android or iOS.
If you want to make a stand, I fully support you. But if you just want to get on with your day, spare yourself from your own cleverness, and just restore to factory default and give it a highly secure password like "password".
Re:Why do you need a "secure" burner laptop? (Score:5, Informative)
I think the idea of this admittedly cryptic article is to have a laptop that is temporarily secure against certain spyware modifications so it can later still be used to download the encrypted data on the other side of the border. The alternative is to buy a new computer every time you travel.
Re: (Score:1)
the whole point of a "burner" comes from the fact that it doesn't have anything to hide on it
No, the point of the "burner" is that it is inexpensive enough that you won't cry if it gets stolen or if border officials decide to keep it. This gets more likely if you are a reporter known to be working against the interests of a government, since you will probably be on a border monitoring list.
Secure or not is a separate issue.
Re: (Score:1)
If you are a person of interest, it's obvious you won't carry sensitive data across a border where you can be searched.
The security services are not quite as stupid as you imagine.
Under one or other pretext they'll seize your laptop, then modify the BIOS so that it logs your activity. Encrypted or not, they'll get your encryption passwords as you retype them. You think you're all safe because you wipe/restore your laptop. Whereas if they do decide to hit you, they take your bugged laptop and everything is o
Re: (Score:2)
Re: (Score:2)
If you suspect that might happen, buy a cheap laptop for crossing borders, and either know how to reset the BIOS or sell it on eBay when you're home.
Only Freeware and Warez (Score:2)
Remember, don't take the chance that companies' legitimate software will infect you.
Journos? (Score:2)
Re: (Score:1)
C'Mere. I'll introduce my fist to your face. And I'll ask, "Oh, was that journos?"
Captcha: parsing
Re: (Score:3)
>> What is a Journos?
It looks like a Mentos, but it always tilts slightly to the left and has a yellow tint.
Forensic duplication (Score:2)
Err... isn't it standard procedure to extract and physically clone the HDD prior to examination, then attempt to crack encryption via rainbow tables?
If you've used a sufficiently long passphrase and sufficiently well written encryption software, they just throw you in jail (assuming we're talking about law enforcement) until you give up the keys.
It's much easier to just use a standard image and use remote access tools to work on a virtual computer that's not within the jurisdiciton/reach of the people you'r
Re: (Score:2)
It's much easier to just use a standard image and use remote access tools to work on a virtual computer that's not within the jurisdiciton/reach of the people you're worried about.
Sigh. So first we tell people, if you don't want people to see it don't put it on the internet. Hell, if you really don't want it getting out, keep the machine its on airgapped. Simple, right? Then as soon as you want to cross the border ... you jump up and tell them if you don't want people to see it, hey, you should put it on the internet!!
Wait... what?
Its not bad advice per se; and relatively speaking the data may well be safer online then on a laptop at the border.
But its only relatively better... if we
Will this sanitize files? (Score:1)
Have it shipped (Score:2)
So far as these stories that I hear about being detained and told you're not leaving until you provide passwords? If I'm in a foreign country then I start de
Stupid idea (Score:1)
What a completely stupid idea riddled with supposition.
There's an old rule to traveling abroad. Don't take anything with you that you do not have to take, and conversely don't bring back anything you don't have to. This idea would also encompass the data on your personal devices. I also use throw away passwords and passcodes that are secure, but not any I would ever use for anything else. I VPN to connect to the Internet whenever I need to and keep my online activity to a necessity based minimum.
As was sugg
Re: (Score:2)
Good ideas. I'd suggest going one step further and travel with a laptop you would not mind losing. For instance, when I upgrade systems, I typically keep the old one for travel, etc. Unless I really need to more powerful new system, the old one will usually do just fine for a few days. Why offer thieves a better payday than absolutely necessary?
Re: (Score:2)
Heck, go a step further than that. Unless you're going to some third world country or flying direct to the middle of nowhere, you can probably buy a cheap (possibly used) laptop when you get there, then download your goodies from the net or the microSD in your tube of toothpaste (if you're that paranoid).
Wipe it and discard it (or sell it) before returning, after uploading the data or stuffing the microSD back in your toothpaste tube.
When you consider the expenses of travelling, a cheap laptop doesn't add
Insane (Score:1)
thumb up the butt? (Score:1)
Re: (Score:2)
Re: (Score:2)
And yet you have enough free time that you seem to know about his multiple posts about "apps" and enough free time to post a reply to his nonsense.
Fight for your bitcoins! [coinbrawl.com] (sorry, no app)
Re: (Score:2)