[Cialug] The Paranoid Foreign Traveler

Josh More morej at alliancetechnologies.net
Wed Dec 16 10:52:40 CST 2009 

(The paranoid one finally joins the discussion  ;)


It all comes down to your respective levels of risk tolerance and risk
presence:

1) If you are traveling to a friendly country (low risk) and are OK with
problems happening (high tolerance)

Go ahead and bring a laptop.  Don't worry about encryption, but it's
best to have data backups and insurance on the laptop.  If customs gives
you grief, don't fight them past that point where filing an insurance
claim and doing a data restore seem pleasant in comparison.


2) If you are traveling to a friendly country (low risk) and are NOT OK
with problems happening (low tolerance)

Leave your laptop at home.  Pay to use Internet cafes instead or buy a
netbook there and leave it behind when you go.


3) If you are traveling to an unfriendly country (high risk) and are OK
with problems happening (high tolerance)

Use a clean build and disk-level encryption.  Expect to be forced to
enter your password by customs.  Don't have anything for them to find. 
Expect to be hassled.


4) If you are traveling to an unfriendly country (high risk) and are NOT
OK with problems happening (low tolerance)

Don't bring a laptop.  Period.


5) If you are traveling to an unfriendly country (high risk), are OK
with problems happening (low tolerance) and need to engage in sensitive
work (high personal risk), then it's time to be paranoid.

Bring a cleaned laptop with an encrypted /home partition and LOTS of
RAM.  Set the system so that /tmp, /var/log, /var/run and the various
usual suspects are RAM drives mounted with noexec and nosetuid.  Disable
hibernation.  Keep your sensitive data within other innocuous files
using stegonography and put those files in an encrypted folder called
something likle /home/$user/Documents/Work/Backups.  Use misdirection
and create a bunch of useless files in /home/$user/Documents/Work
(Google searches on filetype:doc are useful here).

Disable bluetooth and wifi during your whole visit.  Disable booting
from USB/SD/etc.  Lock the bios with a password.

If possible (dunno if it is), requite both a password and fingerprint
read to login.

Set the laptop to autolock after 30s of inactivity.  Require both a
password and fingerprint to bypass the screensaver.

Set up Firefox to use TOR, WOT, Adblock Plus, Better Privacy, No Script
and LongURL within a dedicated profile.  Create a fake profile that sets
your home page to MSN that starts up by default.

Try to use any data in plain text mode, be that .csv, .txt, etc.  If you
must use a fancy tool, import it in and export it back out to avoid any
macro-related malicious code.

Regularly backup and changed sensitive data to an svn server back in the
States over HTTPS.  Make sure that the home page for the svn server
looks like a "post my vacation photos to here" sort of site, just in
case anyone tracks the traffic through tor.

Run ClamAV or Sophos.

Enable your local IPTables-based firewall and configure it
appropriately.

Carry a special thumbdrive with an encrypted volume on it called
"Secret".  Keep it clipped to your bag and easily findable.  If
questioned, claim that only your boss knows the password and that you're
just carrying it for him/her.  If they want it, let them have it.  Put
the Linux kernel sources in there as well as lolcat photos, just in case
they crack it.

Don't use your laptop on the plane, read a book instead.

Be prepared to leave the laptop behind, if need be.  In some cases, this
may actually be preferable.

When you return, if you still have the laptop, wipe it clean before
connecting to any network at all.  Reinstall the BIOS.  Zero out the
disk.  Install a new OS.  Apply updates.  Install ClamAV or Sophos. 
Create a new partition, mount it nosetuid and noexec.  Copy the data out
of your SVN server to this partition.  Scan it twice.  Use deep scans. 
Leaving your computer off the network, sort the files into the ones
where you actually have regular plain text files and those that you do
not.  For the ones that you do not, open each in a non-standard
application (use kWriter or Word under Wine for OO, etc).  Save them to
a different format.  Scan them all again.

Then, if everything looks good, cross your fingers and connect up to the
network.


5) If you are traveling to an unfriendly country (high risk), engaging
in sensitive work (high personal risk) and have more chutzpah than can
be spread on a bagel:

Google around on "diplomatic pouch".  Get the specs for an innocuous
country.  Google around on that country's forms of identification. 
Print up falsified diplomatic credentials.  Get a false diplomatic pouch
made.  Put the laptop into the pouch.  Stroll through customs like you
own the place and be very rude to anyone that questions you, speaking
all the time in a convincing fake accent.

This will either get you past customs faster than anyone, or you'll get
to spend the next several years* in prison.

* It must be noted that your prison time may be much shorter... and be
ended with a bullet**.

** This is not a recommended technique, by the way.








-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701

>>> Jeff Chapin <chapinjeff at gmail.com> 12/16/09 10:15 AM >>>
Perhaps combine what we have discussed?

A second, encrypted partition on a flash card that contains your
important,
super-secret files. When crossing customs, just slap the card into a
camera,
and take a few pictures to camoflage?

On Wed, Dec 16, 2009 at 10:10 AM, kristau <kristau at gmail.com> wrote:

> On Wed, Dec 16, 2009 at 9:56 AM, Dave Hala Jr <dave at 58ghz.net> wrote:
> > I thought the point was to get through the security checks without
being
> > "detained"...
>
> You may get in without being detained by carrying in a blank laptop
> then practicing "cloud" computing, but you also need to get out again.
> If they've monitored your traffic and deem our activities "suspicious"
> in any way, they may still decide to detain you while you are still in
> the country or as you are trying to leave.
>
> (yes, I'm playing a bit of Devil's Advocate here)
>
> --
> Tired programmer
> Coding late into the night
> The core dump follows
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>



-- 
Jeff Chapin
President, CedarLug, retired
President, UNIPC, "I'll get around to it"
President, UNI Scuba Club
Senator, NISG, retired

More information about the Cialug mailing list