Why should you ever trust your hardware?

Last night I attended a small un-conference run by the Tor Project - specialists in providing access to websites that your repressive Government regime probably doesn't want you to see. They don't exactly provide anonymity because it's still...

Share

Last night I attended a small un-conference run by the Tor Project - specialists in providing access to websites that your repressive Government regime probably doesn't want you to see. They don't exactly provide anonymity because it's still entirely possible for you to "out" yourself, however the secret policemen at your ISP won't get a log of your traffic content, and they won't know which websites you're contacting.

Tor is an interesting project and I recommend all readers to investigate - and possibly find some way to support - their work; but just to put this into context...

Imagine you are traveling to a despotic state. You have to work. You need communications and computing resources. Because of your work - perhaps journalism or civil liberties - the data you carry could possibly get people jailed, tortured or shot. And you're likely to be searched upon arrival.

What do you do? How do you get your job done?

I was asked this by someone for whom this is a reality, someone around whom information security is a matter of other peoples' - and maybe their own - life and death. States are ever more intrusive and their customs officials, spooks and business development people are ever more aware of the value of seizing data that crosses their borders, especially in "special" cases.

One published example is Jacob Appelbaum (*formerly) of Wikileaks, who not once but twice was detained by US Customs upon returning to the USA:

Appelbaum's interviewers demanded that he decrypt his laptop and other computer equipment, the source said. After his refusal to do so, they confiscated it, including three cellphones. The laptop was returned, apparently because it contained no storage drive that investigators could examine.

When crossing a border Governments can and may take all your hardware and copy all your data - data on your laptop, data on your phone, data on your iPod, data on your cameras, data on your thumb-drives - and then they might assent to giving the hardware back to you. Possibly having installed a few extra device drivers and a keylogger.

The risk is similar if you hang around in the industrial espionage sphere; one corporation instructed executives visiting China that their laptops were not to be let out of their sight - you take it to the toilet, you sleep with it - explaining carefully that the risk of someone flipping-up the keyboard and installing a keylogger (or software equivalent) was too great.

Laptops upon return to headquarters were blanked and repurposed. Such is the price of keeping secret from vendors the maximum amount of money you might be willing to pay them. Is this paranoia? Not really. If technology is cheap enough to be used in divorce proceedings then Government departments with trade targets can surely afford better, especially if millions in manufacturing dollars are on the table.

So to return to the question: how do you cross a border if what you take with you may incriminate?

The current answer: thoroughly erase the laptop hard-drive, leave the cellphone at home, travel with an empty laptop and readonly CD/DVD installation media. Re-install the system when safe to do so, hauling any remaining data by some secure means over the network. Get a local cellphone for (untrusted) calling purposes and be aware that it may be being intercepted.

Carry your (long, random) passwords in your head; and don't bring your iPod Touch or Kindle if you've linked it to the Internet with your e-mail address and contacts list. Dispose of the phone and erase everything again before leaving.

Discussion last night went further, to touch upon: What about secure voice communication, like Skype, maybe? - and one attendee ventured that the bigger problem they'd encountered was the cop with the parabolic microphone, across the street.

In short: be thankful, if you live in a "free country" - or at least are not a "person of interest" to your Government.

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.

Find your next job with computerworld UK jobs