Let's not give all my data to oppressive governments, okay?
June 2, 2009 10:51 AM Subscribe
How to I compute safely in dangerous places? Looking for advice on hiding data, protecting accounts, and securing connections.
(Before I get started, the laptop is a macbook running OS 10.4. I work in development, am doing nothing illegal, just being cautious.)
I will be traveling for work to some places where the government has a reputation for doing some bad things, from monitoring internet usage to confiscating equipment and holding people until they provide passwords. I would like to secure my laptop as much as possible, keeping in mind that encryption is no good when they beat you until you tell them the password.
I have an encrypted VPN to use for network access, and I use gmail for email (not stored on the laptop itself), so between those two things, I expect my email to be pretty safe.
I use skype and google talk for chat, the former with local logging disabled and the latter through the web browser only, so I think that's pretty good.
However, I am also worried about documents on the computer itself. Is it possible to have a hidden encrypted drive? I've seen software that creates a virtual drive by creating a large encrypted file, but this seems like a pretty obvious thing to look for.
Or perhaps there is a way to load a different user account based on the password alone, so that I can load a "clean" desktop when / if asked to turn on the computer for officials? (Without obviously selecting a different account or something.)
I have been reading, mostly centered around this collection of links and comments, but was curious is anyone here on mefi had advice as well.
(Before I get started, the laptop is a macbook running OS 10.4. I work in development, am doing nothing illegal, just being cautious.)
I will be traveling for work to some places where the government has a reputation for doing some bad things, from monitoring internet usage to confiscating equipment and holding people until they provide passwords. I would like to secure my laptop as much as possible, keeping in mind that encryption is no good when they beat you until you tell them the password.
I have an encrypted VPN to use for network access, and I use gmail for email (not stored on the laptop itself), so between those two things, I expect my email to be pretty safe.
I use skype and google talk for chat, the former with local logging disabled and the latter through the web browser only, so I think that's pretty good.
However, I am also worried about documents on the computer itself. Is it possible to have a hidden encrypted drive? I've seen software that creates a virtual drive by creating a large encrypted file, but this seems like a pretty obvious thing to look for.
Or perhaps there is a way to load a different user account based on the password alone, so that I can load a "clean" desktop when / if asked to turn on the computer for officials? (Without obviously selecting a different account or something.)
I have been reading, mostly centered around this collection of links and comments, but was curious is anyone here on mefi had advice as well.
However, I am also worried about documents on the computer itself. Is it possible to have a hidden encrypted drive? I've seen software that creates a virtual drive by creating a large encrypted file, but this seems like a pretty obvious thing to look for.
Yes, encryption only really protects people from being able to view your data, keeping your data a secret is more in the field of steganography. As Laen said, TrueCrypt has a pretty good plausible deniability scheme built-in, but you are still putting your trust in people believing that your fake key is the real one.
Depending on how large your documents are you could store some or all of them remotely. On the extreme side you could boot a Live CD, nuke your hard drive before shutting down every session, and keep all of your documents at some safe and secret network location. It wouldn't be fast, but you could access a network drive over your VPN connection or use a file storage or backup site like Mozy to keep your data instead of storing it locally.
posted by burnmp3s at 11:11 AM on June 2, 2009 [1 favorite]
Yes, encryption only really protects people from being able to view your data, keeping your data a secret is more in the field of steganography. As Laen said, TrueCrypt has a pretty good plausible deniability scheme built-in, but you are still putting your trust in people believing that your fake key is the real one.
Depending on how large your documents are you could store some or all of them remotely. On the extreme side you could boot a Live CD, nuke your hard drive before shutting down every session, and keep all of your documents at some safe and secret network location. It wouldn't be fast, but you could access a network drive over your VPN connection or use a file storage or backup site like Mozy to keep your data instead of storing it locally.
posted by burnmp3s at 11:11 AM on June 2, 2009 [1 favorite]
If you can set up a server outside the country, use VPN to RDP/ssh into the actual computer you have the offending documents on, and just use your laptop as a dumb terminal. Otherwise you have to worry about every program you use caching stuff you don't want on your hard drive.
posted by benzenedream at 11:16 AM on June 2, 2009 [2 favorites]
posted by benzenedream at 11:16 AM on June 2, 2009 [2 favorites]
Yeah, using a secure remote desktop connection might be best. But remember to check the certificate fingerprint to ensure that you're not getting hit with a man in the middle attack. It's unlikely, but possible.
Another option would be to keep your entire drive encrypted with truecrypt, and then install a VMWare or other virtualization software to install an OS on that drive. That way way, your entire OS will be encrypted, including swap space.
You could even use truecrypt's "plausible denyability" mode to install TWO OSes. One to boot up if people demand to see what's on your system, and one to boot up to do your real work.
posted by delmoi at 11:34 AM on June 2, 2009 [1 favorite]
Another option would be to keep your entire drive encrypted with truecrypt, and then install a VMWare or other virtualization software to install an OS on that drive. That way way, your entire OS will be encrypted, including swap space.
You could even use truecrypt's "plausible denyability" mode to install TWO OSes. One to boot up if people demand to see what's on your system, and one to boot up to do your real work.
posted by delmoi at 11:34 AM on June 2, 2009 [1 favorite]
Response by poster: As I said: the computer may be confiscated, I may be asked to enter passwords, the internet connection is definitely monitored.
I do not want work-related documents, identifying information of people I work with, or personal information, to be easily compromised. I do not expect to be the target of an investigation or anything.
posted by Nothing at 11:34 AM on June 2, 2009
I do not want work-related documents, identifying information of people I work with, or personal information, to be easily compromised. I do not expect to be the target of an investigation or anything.
posted by Nothing at 11:34 AM on June 2, 2009
Don't know what someone with an actual security background will think of this, but if you want to hide encrypted data one of that ways I've heard suggested is to clutter your hard drive up with large video games or similarly bloated programs, then once you've got a file you want that's been nice and securely encrypted you change the file extension so it it matches a game data file and stick it in a game folder with similar sized data files. Even better if you replace an actual game file with it, say a large map late in the game, since then it would be automatically deleted if they try to flush out suspicious files by uninstalling programs. It's security through obscurity, which is to say of minimal use without other safegaurds in place, but it at least dodges the problem of interested parties having an obvious and immediate target to investigate. They can't ask for passwords for something they can't find, plus it avoids the problem of having an immaculately clean computer which might also look suspicious. Not sure if that helps, or at the very least gives you some ideas to explore.
posted by CheshireCat at 11:46 AM on June 2, 2009 [1 favorite]
posted by CheshireCat at 11:46 AM on June 2, 2009 [1 favorite]
While this page might be a bit tin-foil, and a bit off-topic, I've found it to be a good touchstone if you ever want true online anonymity.
In terms of what you are asking, though, I think the above posters are right.
1) Have a primary "non-secure" boot-up with a simple password. Do all your non-vital computing on this (and, if we are getting real serious, consider leaving some valuable data on here you can stand to be compromised to make an attacker feel like they've found the goods).
2) Have a second partition with TrueCrypt that you only use when you are working with vital work.
3) Have a USB Linux boot-key for the super-valuable stuff. If we are getting ultra-tin foil, then get a USB SD reader, and carry your vital SD card seperately (and a non-vital SD card with apps or something on it). If things get ugly, quietly destroy this SD card with a fingernail or a boot-heel.
Hehe, tinfoil is fun.
posted by mjewkes at 11:47 AM on June 2, 2009 [2 favorites]
In terms of what you are asking, though, I think the above posters are right.
1) Have a primary "non-secure" boot-up with a simple password. Do all your non-vital computing on this (and, if we are getting real serious, consider leaving some valuable data on here you can stand to be compromised to make an attacker feel like they've found the goods).
2) Have a second partition with TrueCrypt that you only use when you are working with vital work.
3) Have a USB Linux boot-key for the super-valuable stuff. If we are getting ultra-tin foil, then get a USB SD reader, and carry your vital SD card seperately (and a non-vital SD card with apps or something on it). If things get ugly, quietly destroy this SD card with a fingernail or a boot-heel.
Hehe, tinfoil is fun.
posted by mjewkes at 11:47 AM on June 2, 2009 [2 favorites]
The easiest solution is not to store any of that stuff on the laptop itself. Throw it into an online-backup service, or Subversion/Git, or anywhere besides the laptop. If you really have to worry about this, you should be working within a "nothing local" framework already.
posted by rhizome at 12:41 PM on June 2, 2009
posted by rhizome at 12:41 PM on June 2, 2009
odinsdream: wouldn't SSH on port 80 be found out pretty quickly? I know one of the first things I do when I'm checking out some random system that has 80 open is see what is sitting there using a web browser...I always run SSH on some random high port, like 12345 or something...
posted by dubitable at 1:19 PM on June 2, 2009
posted by dubitable at 1:19 PM on June 2, 2009
3 steps.
Minimise the potential risk:
Use a clean laptop, take only the essential data, take it encrypted (with a fresh key).
Use a temporary gmail account, too, if your permanent one contains compromising information.
Don't get caught:
Don't let them know you're communicating. SSH on port 80 is a good idea.
Truecrypt sounds good, although I haven't used it.
If you do get caught, protect yourself:
If you're really in a situation where physical coercion is an issue, storing online doesn't help: they can also get your gmail password. Do you have someone you trust enough to give all your passwords to before you go, with instructions to change them randomly so that you yourself can't get access to your permanent (for example) gmail account or work systems? Store your temporary keys on a destroyable device, keep that device on you after destroying it so that you can plausibly claim not to be able to access the data.
You may still be personally screwed, especially if they don't believe you, but your data and contacts will be fine. Good luck.
posted by Wrinkled Stumpskin at 1:29 PM on June 2, 2009
Minimise the potential risk:
Use a clean laptop, take only the essential data, take it encrypted (with a fresh key).
Use a temporary gmail account, too, if your permanent one contains compromising information.
Don't get caught:
Don't let them know you're communicating. SSH on port 80 is a good idea.
Truecrypt sounds good, although I haven't used it.
If you do get caught, protect yourself:
If you're really in a situation where physical coercion is an issue, storing online doesn't help: they can also get your gmail password. Do you have someone you trust enough to give all your passwords to before you go, with instructions to change them randomly so that you yourself can't get access to your permanent (for example) gmail account or work systems? Store your temporary keys on a destroyable device, keep that device on you after destroying it so that you can plausibly claim not to be able to access the data.
You may still be personally screwed, especially if they don't believe you, but your data and contacts will be fine. Good luck.
posted by Wrinkled Stumpskin at 1:29 PM on June 2, 2009
i'd keep stuff that really must not be lost on a microsd card, and i'd be ready to chew it/swallow it.
of course it wont be very healthy... but i doubt it can kill you. they're tiny!
of course you may want to encrypt them first as encrypted data is tastier,,,
(on a more serious note: steganography is more deniable than having an encrypted drive..)
posted by 3mendo at 1:48 PM on June 2, 2009
of course it wont be very healthy... but i doubt it can kill you. they're tiny!
of course you may want to encrypt them first as encrypted data is tastier,,,
(on a more serious note: steganography is more deniable than having an encrypted drive..)
posted by 3mendo at 1:48 PM on June 2, 2009
SSH on port 80 is a good idea.
Oh, you guys mean tunneling? Duh.
posted by dubitable at 2:10 PM on June 2, 2009
Oh, you guys mean tunneling? Duh.
posted by dubitable at 2:10 PM on June 2, 2009
The best way they'll get the information they want is through rubber-hose cryptanalysis, good luck guarding against that.
posted by Brian Puccio at 4:39 PM on June 2, 2009
posted by Brian Puccio at 4:39 PM on June 2, 2009
Response by poster: Thanks everyone. Lots to look at here. Remote access is not an option - internet access will be slow, limited, and rare.
I'm well aware that the big risk is not NSA-style super encryption breakers.
posted by Nothing at 4:47 PM on June 2, 2009
I'm well aware that the big risk is not NSA-style super encryption breakers.
posted by Nothing at 4:47 PM on June 2, 2009
I wouldn't go to a country where the government might torture me for information for any size paycheck. You must love your job.
That said... the above solutions are good when you're playing with people who play fair, but ultimately if you can access the data, they can torture the method you accomplish this out of you. This is analogous to why DRM doesn't work. It has to be breakable so the device can access it, and thus a determined party can find out how it's done.
Modern forensic tools are very good and the TrueCrypt plausible deniability setup is well-known. What you want is for there to be no reason to think there is anything hidden. I guess I would run ssh over port 443 (the SSL encrypted traffic will be less suspicious looking than if it were on port 80) to an off-site server for absolutely everything. Start learning UNIX!
posted by cj_ at 4:55 PM on June 2, 2009 [1 favorite]
That said... the above solutions are good when you're playing with people who play fair, but ultimately if you can access the data, they can torture the method you accomplish this out of you. This is analogous to why DRM doesn't work. It has to be breakable so the device can access it, and thus a determined party can find out how it's done.
Modern forensic tools are very good and the TrueCrypt plausible deniability setup is well-known. What you want is for there to be no reason to think there is anything hidden. I guess I would run ssh over port 443 (the SSL encrypted traffic will be less suspicious looking than if it were on port 80) to an off-site server for absolutely everything. Start learning UNIX!
posted by cj_ at 4:55 PM on June 2, 2009 [1 favorite]
If you're so worried about data security where you will be traveling that you intend to use full-disk encryption, or similar, have you considered that the most likely form of cryptanalysis will be a rubber hose? As in, you will be beaten with a rubber hose and your testicles electrocuted until you divulge the passphrase.
posted by thewalrus at 4:59 PM on June 2, 2009 [1 favorite]
posted by thewalrus at 4:59 PM on June 2, 2009 [1 favorite]
Some of this is better advice than other parts are, and by far not all of it is directly relevant to your situation, but it ought to get you thinking.
posted by eritain at 5:00 PM on June 2, 2009
posted by eritain at 5:00 PM on June 2, 2009
Something else you might consider is an IronKey. The USB stick will self-destruct after 10 failed password attempts. Still not much of a defense if you're being beaten for the password.
A setup that will prevent torture as a means of getting the password is a two-factor login with someone else resetting the second part every day and communicating the second factor to you if they can authenticate that you are safe and not in govt custody. The second factor may not have to be securely sent since both are needed to get in. The only password that is proof versus torture is one that you don't have.
posted by benzenedream at 12:07 AM on June 5, 2009
A setup that will prevent torture as a means of getting the password is a two-factor login with someone else resetting the second part every day and communicating the second factor to you if they can authenticate that you are safe and not in govt custody. The second factor may not have to be securely sent since both are needed to get in. The only password that is proof versus torture is one that you don't have.
posted by benzenedream at 12:07 AM on June 5, 2009
3) Have a USB Linux boot-key for the super-valuable stuff. If we are getting ultra-tin foil, then get a USB SD reader, and carry your vital SD card seperately (and a non-vital SD card with apps or something on it). If things get ugly, quietly destroy this SD card with a fingernail or a boot-heel.
You could create a true-crypt partition on a SD card, and then keep it in your camera most of the time, too.
posted by delmoi at 4:19 PM on June 5, 2009
You could create a true-crypt partition on a SD card, and then keep it in your camera most of the time, too.
posted by delmoi at 4:19 PM on June 5, 2009
I use Truecrypt. I think it's a good idea to run the program off a USB stick or a USB MicroSD card and then destroy the SD card if you're in a sticky situation. Having Truecrypt on your computer doesn't imply guilt, but it doesn't help. Also, put on your tinfoil hat and read this article.
posted by bertrandom at 5:16 AM on June 7, 2009
posted by bertrandom at 5:16 AM on June 7, 2009
This thread is closed to new comments.
posted by Laen at 10:58 AM on June 2, 2009 [3 favorites]