[liberationtech] best practices - roundup

[Steve Weis]

Here are a few more suggestions, with the caveat that they presume some
technical know-how:
- When connectivity permits, run everything remotely in a safe location,
and use your laptop as a remote desktop client over a VPN. You could even
remove the hard drive from the laptop and boot from read-only media.
- If running remotely is not feasible, I'd probably have a minimal
installation on the host laptop and run my day-to-day apps in encrypted
virtual machines. This makes it easier to secure the host, isolate
applications, and migrate to new hardware.
- Always use full disk encryption.
- Set a BIOS password.
- If you intend to boot from a hard drive, disable booting from PXE, USB,
or CD from within the BIOS.
- Firewire, Thunderbolt, and PCMCIA slots present a risk of DMA attacks.
Either use a laptop without them, or find out how to address the risk.

Despite these precautions, someone with physical access to your machine for
even a few minutes can generally compromise it. That risk can be mitigated,
but it's beyond the scope of this use case.

On Tue, Oct 9, 2012 at 9:23 AM, Katy P <katycarvt at gmail.com> wrote:

> Best practices for traveling to an internet-hostile regime.
>
> There is a lot of variance - obviously the regime's capabilities as well
> as one's own visibility come into play.
>
> And, if it isn't obvious, I'm not a security expert. This is not official,
> legal advice. Everyone needs to research this on their own and make good
> decisions for themselves.
> If you're really not tech-savvy, it might be worthwhile to hook up with a
> tech-savvy friend (or IT professional) to do some of these steps.
>
> Regardless, here are some hints from the community:
>
> BEFORE YOUR TRIP
> - your laptop and mobile device should be ones that are fresh - factory
> reset to the original operating system and best case would be "burners" --
> devices that you can factory reset upon return home (some suggested also
> using a bootable Linux install)
> - do not link your Dropbox, GDrive, or other file service at any time
> - do not be logged into GMail, social media sites, etc.
> - be careful with what photos you have on your phone (before leaving the
> country especially)
> - have a virus scanner installed
> - make sure that all software is up-to-date (Windows Updates, virus
> scanner)
> - any sensitive data/documents should be on a USB drive, not kept in an
> obvious place (like throw it in with your toiletries or something) with an
> encrypted volume
> - change all of your passwords to something very secure before your trip
> - install TOR
> - consider a mobile security app (Here's a review of some Android ones:
> http://www.digitaltrends.com/mobile/top-android-security-apps/)
> - encryption may be illegal and may cause more concern
>
> AT THE AIRPORT:
> - don't be logged into anything
> - be polite
> - don't be nervous
>
> DURING YOUR TRIP
> - when on WiFi, DNSCrypt http://www.opendns.com/technology/dnscrypt/
> - set up a VPN connection
> - never leave your devices anywhere (even hotel safe)
> - assume phone conversations are monitored
> - turn off GPS
> - turn on encryption for your social media sites (Facebook encryption
> http://www.facebook.com/help/?faq=215897678434749 Twitter
> http://blog.twitter.com/2011/03/making-twitter-more-secure-https.html)
> - some suggest having a different "burner" social media account
> - be careful posting pictures and updates during trip
>
> LEAVING THE COUNTRY
> - if possible, it might be a good idea to do a factory reset on devices
> before going to the airport (??)
> - upon return, do factory resets of all devices
> - change passwords upon return
>
> Thanks to everyone that made suggestions.
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20121009/72676b35/attachment.html>