Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Government Hardware Hacking Privacy Hardware

Hackers, Activists, Journos: How To Build a Secure Burner Laptop (vice.com) 139

sarahnaomi writes to describe a presentation by security researcher Georg Wicherski at the t2'15 infosec conference; Wicherski outlined in his talk several steps that could be taken to render an ordinary Chromebook immune (or at least very, very resistant) to malware attacks, even when an adversary has physical access to it. These customizations make it difficult for an attacker to use any sort of turnkey solution, presenting a barrier to any off-the-shelf equipment attackers might use. At border crossings, Wicherski said possible attackers might have "an appliance, that comes with a manual, and low-skilled operators." By using a setup that is not very common, the border cops might not know what to do.
This discussion has been archived. No new comments can be posted.

Hackers, Activists, Journos: How To Build a Secure Burner Laptop

Comments Filter:
  • They'll just keep the device. "Burners" are almost as good as the one time pad.

    • by sexconker ( 1179573 ) on Thursday October 29, 2015 @12:15PM (#50826499)

      No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.

      • by Anonymous Coward

        No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.

        I hate to paint this kind of shit as a good thing, but the more abuses that are brought to light, the more chance of real enforcement reform.

        Body cameras are merely a starting point.

      • by myowntrueself ( 607117 ) on Thursday October 29, 2015 @12:26PM (#50826587)

        No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.

        Except it won't be illegal because it'll be at the border.

      • by Anonymous Coward

        then illegally hold you without charging you anything

        Hey, at least it's free!

      • Well, the idea behind the burner anyway is to avoid keeping anything important on it, so open it up for them. And for the border you should have burner email, facebook, etc accounts also that have nothing but cats and laughing babies, maybe some soft lingerie porn to avoid making it too obvious.

        • To make sure it's not obvious, keep a few gigabytes of regular porn, 3d porn, hentai porn, furry porn, tentacle porn and futanari porn.

          Fight for your bitcoins! [coinbrawl.com]

          • Interesting resistance tactic - load your laptop with all sorts of disturbing and upsetting videos to cause mental anguish to any government viewers, while concealing and heavily encrypting anything real data. Remember, someone has to look at all this data to make sense of it....

            The government can seize and spy on my data, but they better be prepared to go to counseling afterwards..
        • by Anonymous Coward

          ...avoid making it too obvious.

          This - Because human rights at American borders appears to be non existent: any non compliance strategy is not enough - so yes add porn, add MS windows, make your device look "normal" and compliant with their meddling.

          If you do encryption and any other hardening then you must also make sure it's extremely difficult to tell that either your device is hiding something or make sure that their malware / backdoor etc appears to be successful... otherwise they can use the various non-technical ways to force you

        • by Anonymous Coward

          Then they just look through the computer's history. Oh, work at xyz company as an admin? Better cough up your username and enterprise admin creds or you will be lighter a few fingers (if it is Third World country), or a record gun or drug haul might be found with the laptop (if a more developed country). Other countries like the UK will just have the magistrate demand access to the AD network, if no, tack three years on the sentence, ask again. After 20-30 times, that is effectively a life sentence unde

      • No, they'll keep the device, beat and rape you, then illegally hold you without charging you anything and without granting you access to a lawyer.

        So that's the title of the sequel: 50 Shades of Grey on the Border

    • WTF? this is just a link to a logo for COreboot. no explanation of what it is or what makes it different other than just saying "its secure".

    • Coincidentally slashdot deals has a banner ad for the christopher walken (Pulp fiction) solution to taking your computer across the boarder privately.
      https://deals.slashdot.org/sal... [slashdot.org]
      Which is just the right size to hide any place you could fit a wristwatch.

  • Step 1 (Score:4, Funny)

    by Anonymous Coward on Thursday October 29, 2015 @11:55AM (#50826311)

    Install APKs host file generator so you don't have people tracking you by your DNS lookups.

  • Where's the link? (Score:5, Insightful)

    by cruff ( 171569 ) on Thursday October 29, 2015 @12:00PM (#50826353)
    I don't see a link to said presentation...
    • by MagicM ( 85041 )

      You see where it says "vice.com" in the header? You're supposed to click there.

      Yeah, I don't want to either.

      • You see where it says "vice.com" in the header? You're supposed to click there.

        Yeah, I don't want to either.

        Sorry, I've learned that if vice.com is in the URL, it's not worth clicking on.

  • by Anonymous Coward

    I certainly won't read the RTFA, as an AC, but this seems silly. You are saying that by using obscure hardware and software, attackers won't know how to put their off-the-shelf industrial malware on your equipment? Anyone with such a large-scale operation will either find another way in, or be eclipsed by all the malware that gets there by other means anyway.

  • by Anonymous Coward

    You're just making yourself a target for these border cops if you have a "suspicious" laptop. Get ready to be held against your will and interrogated.

    I'd think there's better, more subtle ways to protect yourself.

    • I'd think there's better, more subtle ways to protect yourself.

      You mean like encrypting your hard drive?

      Personally, If I figured I had a lot to hide, I'd set up my machine to require manual intervention while booting. Set up a boot loader that silently boots to a decoy, throw away, it returns to it's initial state every time system that you use for things like web browsing and game playing. Encrypt all the rest of the partitions used for the *working* system where you keep the stuff you want/need to keep secure. You boot to the *real* system to work by knowing that

  • by Anonymous Coward

    The links provided say nothing about what is discussed in the summery. I realize this being slashdot no one reads the article but come on. One is the definition of the term "turnkey" off of wikipedia, another is just the core boot home page, and the third is a two year old posting on Bruce Schneier web site about yet another NSA exploit. None of the links connect to the summery at all.

    could we at least post the link in the summery somewhere?

  • by Anonymous Coward on Thursday October 29, 2015 @12:08PM (#50826449)

    might have "an appliance, that comes with a manual, and low-skilled operators." By using a setup that is not very common, the border cops might not know what to do.

    Oh, they know exactly what to do.

    "..border guards confiscated his laptop and phones and detained him, telling him he would not be allowed to leave until he gave them his passwords." [boingboing.net]

    This is a solved problem as far as they are concerned. You sit in a room until you unlock the device for them. Lawyer? You don't get no steenkin' lawyer.

    • by Lumpy ( 12016 ) on Thursday October 29, 2015 @12:24PM (#50826563) Homepage

      Not a problem officer..... It's password99.

      and it boots to a clean sanitized setup. "please don't look at my manuscripts in there, I'm not a very good writer and get embarrassed of someone reads my book I am writing. "

      and I am on my way.

      Honestly, if you are not smart enough to have your real information safely elsewhere then you deserve to be detained. microSD cards are a freaking dime a dozen and can easily be hidden anywhere. Hell put one under the stamp on a letter to yourself at your destination.

      • by JustNiz ( 692889 )

        >> Hell put one under the stamp on a letter to yourself at your destination.

        Physically mailing storage? really? why wouldn't you just encrypt it and copy it (scp or whatever) to some server then pick it up when you get wherever you're going?
        If you're paranoid about cloud storage (which is probably quite reasonable) just run your own server at home.

        • It's one thing if you have a few megabytes of documents, however what if you have sensitive video or something in the Gigs? A 64GB card isn't too expensive, where ~30GB worth of bandwidth might not be readily available out of wherever you're transiting from.

          Not to mention that if you're working with a paranoid government(and sadly the USA qualifies today), they might note the data traffic and follow up on that.

      • and it boots to a clean sanitized setup. "please don't look at my manuscripts in there, I'm not a very good writer and get embarrassed of someone reads my book I am writing. "

        Better yet, a little legal heterosexual porn(think playboy tasteful), some mp3s, some movies, they're satisfied that you're an 'average' joe and you go on your way. You don't want a perfectly 'sanitized' laptop like having a perfectly clean apartment would have the cops wondering and looking for a second residence.

      • For travel, I have considered simply traveling with a Raspberry Pi with no thumb drive and a fresh install of Raspberian. The TSA is welcome to examine it in it's entirety including making a mirror copy of the micor SD. Be upfront with them that the device is entirely devoid of any personal information and contains only the fresh boot image. After reaching your destination, you can SSH into your personal files and buy a local thumb drive. Upon return, replace the micro SD with a fresh copy againi.

        If you

    • by Anonymous Coward on Thursday October 29, 2015 @12:47PM (#50826799)

      Someone didn't RTFA.

      This isn't about stopping the border police from reading the contents of your laptop, it is about stopping them from installing spyware in the BIOS. The described mechanism involves clipping a pin off the flash chip rendering it read-only. No regular border cop is going to know how to deal with that and no amount of rubber-hose decryption is going to undo it.

      Like all security measures, it isn't about being 100% secure, it is about raising the costs to the attacker.

  • Guess what people the NSA isn't going after with something as close-held as the linked exploit?

    "Hackers, Activists, and Journos"

    I know that doesn't really seem to matter to people, and that it's easier to cherry-pick contextless, misunderstood, fringe examples that are believed to prove some "point", or isolated examples of outright abuse and extrapolating, without any proof whatever, that to mean it is obviously systemic and widespread, instead of realizing that NSA's chief mission, as a foreign intelligen

    • by Anonymous Coward

      The NSA will investigate, hack, and bully whomever they please and you're deluding yourself if you think they don't. They may have been "conceived" as a "foreign" intelligence agency, but, as has been clearly shown, they LOVE collecting data on U.S. citizens more than anyone. They may not be specifically going after a particular collection of people, but piss them off and you'll feel their entire weight upon you in an instant. MORESO if you're a U.S. citizen rather than a foreign citizen. They're the govern

      • Since you know everything about them, perhaps you should start linking to ANY evidence of collection against US citizens.
        I have heard lots of wild speculation from the Snowden leaks, but none of it has pointed to actual illegal collection.

    • by Noryungi ( 70322 )

      You are so naive it's almost painful.

      Of course, the NSA is going to go after you if you are an American journalist. The thing is, they are not allowed to. What a quandary!

      What can you do in that case, if you work at the NSA? You just send a memorandum to your good friends at GCHQ, and they will gladly do the spying for you!

      And, of course, if GCHQ needs some juicy info on a UK citizen, NSA is happy to oblige. Scratch my back, I'll scratch yours, etc.

      Repeat with all members of the "five eyes" (NSA, GCHQ, CSE,

  • by Anonymous Coward

    Old laptop, boot from a Linux CD. all done. short of hardware inside it to spy on you it's 100% hacker proof. You can find cheap burners from almost anywhere, just boot from your Linux live CD and away you go.

    Really has the state of "hacking" degraded so far that this kind of shit is considered talk worthy?

    • short of hardware inside it to spy on you

      You mean like modifications to the bios? Which can infect a running OS even after you boot from another device?

      • by mvdw ( 613057 )
        So put an md5sum of the bios on the CD, and check it against the running bios on boot. If different, flag an error.
        • If that works, can't you just detect malware using the same method on the regular laptop? (Boot it via cd/usb and check bios and other firmware.) Seems to me a compromised bios could lie about it's checksum.

          I guess if you always flashed all your bios/firmware back to defaults from read-only media after crossing a border, it might work...

    • by mspohr ( 589790 )

      Tails.boum.org
      Tor, I2P, encryption

  • by Anonymous Coward

    Put a vanilla install of Windows on an empty partition and set grub to boot it by default before you hand your laptop to border guards. They can have their fun with it before handing it back, then you wipe the partition when you get where you're going. You don't ever even have to boot it up to let their malware do its thing.

  • Where's TFA?

  • by pla ( 258480 ) on Thursday October 29, 2015 @12:53PM (#50826855) Journal
    Why do you need a "secure" burner laptop?

    I don't mean that in the "if you have nothing to hide..." sense, but rather, the whole point of a "burner" comes from the fact that it doesn't have anything to hide on it. You pretty much just revert it to OEM condition before each trip, and if some hostile government-authorized terrorist agency like HSI (formerly ICE) decides to steal it from you (or hell, if a random thief decides to steal it from you), you haven't lost anything but the hardware.

    Hey, I completely agree that we shouldn't have to put up with that sort of bullshit or take steps like prepping a burner laptop every time we want to go on vacation; but "securing" it just makes it look even more tempting to the idiots at the gates; similarly for setting up a UI that Officer Shout-and-Taze doesn't immediately recognize as Windows or OS X or Android or iOS.

    If you want to make a stand, I fully support you. But if you just want to get on with your day, spare yourself from your own cleverness, and just restore to factory default and give it a highly secure password like "password".
    • by aaaaaaargh! ( 1150173 ) on Thursday October 29, 2015 @01:46PM (#50827245)

      I think the idea of this admittedly cryptic article is to have a laptop that is temporarily secure against certain spyware modifications so it can later still be used to download the encrypted data on the other side of the border. The alternative is to buy a new computer every time you travel.

    • by Anonymous Coward

      the whole point of a "burner" comes from the fact that it doesn't have anything to hide on it

      No, the point of the "burner" is that it is inexpensive enough that you won't cry if it gets stolen or if border officials decide to keep it. This gets more likely if you are a reporter known to be working against the interests of a government, since you will probably be on a border monitoring list.

      Secure or not is a separate issue.

    • by Anonymous Coward

      If you are a person of interest, it's obvious you won't carry sensitive data across a border where you can be searched.

      The security services are not quite as stupid as you imagine.

      Under one or other pretext they'll seize your laptop, then modify the BIOS so that it logs your activity. Encrypted or not, they'll get your encryption passwords as you retype them. You think you're all safe because you wipe/restore your laptop. Whereas if they do decide to hit you, they take your bugged laptop and everything is o

  • Remember, don't take the chance that companies' legitimate software will infect you.

  • What is a Journos? (sarcasm: it means the editor is a lazy typist)
    • >> What is a Journos?

      It looks like a Mentos, but it always tilts slightly to the left and has a yellow tint.

  • Err... isn't it standard procedure to extract and physically clone the HDD prior to examination, then attempt to crack encryption via rainbow tables?

    If you've used a sufficiently long passphrase and sufficiently well written encryption software, they just throw you in jail (assuming we're talking about law enforcement) until you give up the keys.

    It's much easier to just use a standard image and use remote access tools to work on a virtual computer that's not within the jurisdiciton/reach of the people you'r

    • by vux984 ( 928602 )

      It's much easier to just use a standard image and use remote access tools to work on a virtual computer that's not within the jurisdiciton/reach of the people you're worried about.

      Sigh. So first we tell people, if you don't want people to see it don't put it on the internet. Hell, if you really don't want it getting out, keep the machine its on airgapped. Simple, right? Then as soon as you want to cross the border ... you jump up and tell them if you don't want people to see it, hey, you should put it on the internet!!

      Wait... what?

      Its not bad advice per se; and relatively speaking the data may well be safer online then on a laptop at the border.

      But its only relatively better... if we

  • My biggest concern has always been and still is about someone identifying who created/edited a file on my drive. I routinely have to send documents anonymously which I have created and I am always worried about one document having my login name on of my machines attached to the meta data.
  • Why not, if you're going somewhere that you're afraid border agents will pull this sort of bullshit, just have your laptop shipped separately via something like FedEx? Then there's nothing for them to search. Don't keep anything important on your phone, or don't take your phone with you, or take a disposable phone that has exactly nothing on it anyway.

    So far as these stories that I hear about being detained and told you're not leaving until you provide passwords? If I'm in a foreign country then I start de
  • by Anonymous Coward

    What a completely stupid idea riddled with supposition.

    There's an old rule to traveling abroad. Don't take anything with you that you do not have to take, and conversely don't bring back anything you don't have to. This idea would also encompass the data on your personal devices. I also use throw away passwords and passcodes that are secure, but not any I would ever use for anything else. I VPN to connect to the Internet whenever I need to and keep my online activity to a necessity based minimum.

    As was sugg

    • Good ideas. I'd suggest going one step further and travel with a laptop you would not mind losing. For instance, when I upgrade systems, I typically keep the old one for travel, etc. Unless I really need to more powerful new system, the old one will usually do just fine for a few days. Why offer thieves a better payday than absolutely necessary?

      • by AJWM ( 19027 )

        Heck, go a step further than that. Unless you're going to some third world country or flying direct to the middle of nowhere, you can probably buy a cheap (possibly used) laptop when you get there, then download your goodies from the net or the microSD in your tube of toothpaste (if you're that paranoid).

        Wipe it and discard it (or sell it) before returning, after uploading the data or stuffing the microSD back in your toothpaste tube.

        When you consider the expenses of travelling, a cheap laptop doesn't add

  • Just run a VM and hide it 7 or dir deep. Delete VM ware from your system and put it back where ever you go keep a copy of VMware on a share somewhere, hell you can keep the image there also.
  • just take anything important and place it in your butt hole.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...