Encrypt all the things!

Posted on
Page
of 139
  • You can trim conversations when they reach X messages and Archive conversations, though I have no idea how to delete Archived Conversations.

  • @Velocio I'm off to New Orleans at the end of February. Given 45's recent EO's, would it be a wise move to take an 'empty' Android phone, with few personal info on it? I have an iPhone but was never going to take that with me.

  • You have 2 choices based on your preference:

    1. You're prepared to open your device if asked by someone in a uniform.
    2. You will resist and are prepared for the consequences.

    If #1... take any device you are happy having the contents fully searched through. If you are going the burner route... yes, factory reset, full disk encryption and you'll need to hook it up to a Google account for it to be usable, so create a random Gmail one and install the basic apps you want.

    Make sure to print out a travel itinerary that includes where you are staying, address and contact details. When you are there and in your hotel... add your primary profile back to your phone, and you're on your way.

    This is a much simplified process if you use something like LastPass which will save app credentials.

    For the second choice, take whatever is full disk encrypted and turn it off before you board the plane and don't turn it on again until you've got past all security and border stuff on the other side and are in the civilian landside part of the airport. Do not enable any fingerprint recognition, border control and uniforms have a right to your identity but not to a thing stored in your head... so they can compel you to unlock using a fingerprint. My guesses are, if challenged... you will be needing a lawyer and will be on the next plane back.

    In both cases, it's worth pruning public social media profiles of information (hence my ephemeral TweetDelete Twitter profile that self-nukes all tweets after 2 weeks).

  • BTW, there's a good argument to be had about putting phones in check-in luggage which is typically the other side of border control.

    But realise that there is a risk that if the baggage is lost in transit or ends up in another city you may be stuck with no phone.

  • Cheers hun.

  • Could you do both - if you are committed to using a burner, then have that on your person and keep your primary device in checked baggage?

  • I wonder how well all of this would work with Thiel's database churning away in the background - i.e.

    • Hello Mr border guard, this is my phone with my Twitter and Facebook accounts
    • These aren't your primary accounts
    • I'm sorry?
    • Our file on you shows you to be associated with this group of social media profiles, you are trying to trick us with these fakes
    • Bugger
  • Yeah, that will happen.

    I don't have Facebook and I am both careful with what I put on Twitter as well as using https://www.tweetdelete.net/ to purge tweets older than a given point in time (2 weeks, as that is the longest I've seen an active conversation last there).

    Border staff typically do not use advanced tooling, they have their core database and then they have Google. So deleting publicly visible is a good thing to do.

    Harder is what to do if asked for passwords to social media accounts. On that front it's also better just not to have the account in the first place.

    Going back to travelling in general, one of the security guys where I work flies by these rules:

    • Anything you check-in, don't expect to see again
    • Anything you carry, will be searched

    He flies with crap phones, set up with minimal info, with VPN (internet kill switch enabled) and wipes the device of local data before he flies. It's an interesting combination as he'll turn a phone on if asked, but there won't be any data on it and it won't connect to anything without that VPN running.

    He's gone for the minimum level of compliance, with a little inconvenience for himself. He's not on social media sites.

    Also interesting... define social media. I think the only reason forums are not counted is because of the lack of a key feature... connections between people.

  • All of this makes me glad I made LFGSS log nothing, and is pseudonymous rather than real-identity.

  • I have just gone from an iPhone 5c back to a 4. The old OS is making everything even remotely security related a total pain in the ass. It is getting very close to meeting a loud, hammer-based death.

  • I think the only reason forums are not counted is because of the lack of a key feature... connections between people.

    I wouldn't count on them not being used against you if correlation can be established between reality you and Internet you.

  • I wouldn't count on them not being used against you if correlation can be established between reality you and Internet you

    The main agencies have been doing this for years, this is why metadata is so important. Presume they have everything that you do online if you're not VPNing + Tor + not logging in to things.

    I am talking about a different issue.

    What I am talking about is the recent addition to border control protocol of potentially asking for your social media identities.

    Under their own legal definition this presently excludes all forums and things like Reddit, and is narrowly scoped to cover things like Facebook and Twitter so you can safely limit any answer to those things and forget about all forums. Presently this question remains optional (in one of those "implied bad things happen if you don't comply" ways but "it's optional").

  • Interesting. I use LastPass and it won't be on the travel phone and I don't know the passwords to my social media accounts without it. Am mentally preparing myself to be turned back at NO.

  • Does this not just move the problem one step up the chain? I guess you can feel much better about not giving out lastpass details, because it access' everything, but you're still fundamentally saying 'no', which is fine if you're saying no anyway.

    I wonder if we might end up in a situation like with physical bags, where lastpass has an option for a TSA Key which would temporarily grant access to certain accounts.

  • But we've seen what happened to the physical TSA keys.
    If LastPass go down that route, they will [should] lose your trust.

  • I'll be saying 'no' as the Lastpass password is kept at home and on my iPhone.

    Whatever happened to the days when all I had to worry about was excess duty free liquor?

  • I'm going there in May for TABR.

    I want all my maps and stuff on the phone - it's a backup for my GPS.

    I tweet, but could I just remove the twitter client and be done with it?

    Do they have any rights to emails or anything else on the phone?

    Should I remove Tor from my phone? There's nothing dodgy on there but I wonder if they'd see it as a red flag?

  • Legally it's a bit mixed.

    They have a right to search inside anything you are carrying... i.e. a bad, a suitcase... and this is the right that they extend to "things that can contain things", meaning computers and phones. You're on thin ice if you want to be the Supreme Court case against this... if you're not a US citizen it is not a good idea to refuse.

    They do not have a right to anything not contained in what you are carrying... i.e. they can't search your home because you are at a border, and likewise with cloud service stuff, like email or app data that isn't presently on your phone they have no right to this... but if would be retrieved by your phone then it's back into the "stuff you are carrying" box.

    They also have an absolute right to your identity, meaning your fingerprint should they ask. So they can get you to unlock you phone if this is enabled.

    But they don't have the right to things in your head, i.e. a passphrase. So you could argue against it... but again, this is thin ice.

    What this all boils down to is: Don't keep things in your phone that you don't want to be accessed, and either don't have apps installed or clear caches (log out of apps) and knobble internet connectivity during travel.

    You can reinstall whatever you please once you're at your hotel/wherever.

  • Gonna be a total clusterfuck, of course.

    I'm guessing it'll culminate in censoring anti-trump stuff online.

  • Yes, true. I suppose the only positive thing is that at least we won't need the likes of Edward Snowden to tell us exactly what is going on. It's likely that Trump will boast about his plans for mass-surveillance, and his cheerleaders will happily go along with it in the name of fighting the 'bad dudes'.

  • Hey @Velocio or anyone else with one of those Asus nt-r66u router?

    Do you know if it's possible to use a custom hosts file on that so all the devices connecting to it use the 0.0.0.0 hosts file from: http://someonewhocares.org/hosts/zero/

    I'm guessing there's probably an even cleverer way of doing such a thing that would auto update the hosts but I don't have time for that.

  • Afraid not, I gave mine away recently.

    I do use that, but I use it on an EdgeMax which is an entirely different beast and runs a different OS.

  • Ok, thanks, I'll do some more research when I have more time.

    LOL, more time.

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Encrypt all the things!

Posted by Avatar for Velocio @Velocio

Actions