These instructions are written for unsophisticated users, particularly journalists and activists, and were written with feedback from those users. So, for instance, the steps you might take to arrive at a secure Firefox or Android configuration are probably fine, but not workable for the audience these instructions are intended for.
We're simultaneously working with the airport lawyer groups (there's a huge one at ORD). It's been jarring to realize how many compromises are required to make things workable for groups of non-experts to use. Just getting software installed is a major hassle, so anything you install or customize needs to be really worth the effort.
Second, whoever made this list should include names that endorse it. They must be names of people trusted by various communities: IT security community, journalists (e.g., NY Times), activists (e.g., EFF), etc. Otherwise, it's just another list of very many on the Internet; who knows how reliable it is?
> It's been jarring to realize how many compromises are required to make things workable for groups of non-experts to use.
Third, I am very familiar with this problem, and that assumes you can persuade them that there's sufficient risk to justify the effort. The only solution is for someone to create secure, foolproof, user-friendly and appealing software that is effortless to install and maintain. I know it's easy for me to say "someone", but I don't have the expertise and this project absolutely requires expertise; it can't be yet another hack claiming to be secure.
Fourth, that will create another problem: If that software becomes widely used it will become a very appealing target for extremely well-resourced attackers. I'm not sure of the solution to this problem; can software really be secured effectively against those attackers? Really, we need more than one secure option; or, what if most communication software was fundamentally secure? One step at a time.
Clarifying to my own comment: I trust that it is authoritative, but people who don't read HN need to trust it.
Also, my whole comment is very much IMH - non-authoritative, - O.
Was that an option or was it assumed un-avoidable that people will always have a smart phone or laptop with sensitive info on them? (so it would have to be an iphone according to the article) whereas that is assuming the choice has already been made that you have to have a smartphone to begin with.
The goal is to provide practical security advice that people will use, and that does not make things worse.
- do not store on your laptop / cellphone what you no longer need
- make sure you protect your back-ups as well as you protect your originals
- don't type in credentials while under camera observation
This isn't "advice for refugees entering the country whose lives depend on getting past CBP".
Disclaimer: I work at Google.
I understand Verified Boot, but how would removing Google Play Services damage security? It would seem to reduce the attack surface.
source: im another google engineer
How do you propose a custom rom can establish hardware root of trust without being signed by the device manufacturer?
* U2F token (primary method)
* TOTP via phone app (backup)
* Backup keys printed or on encrypted USB, in a safe.
* SMS disabled explicitly.
TOTP fallback doesn't reduce security meaningfully, because U2F principally protects against phishing. But SMS fallback is devastating to security.
For example in the Don't section it says "[Don't] Store sensitive information in cloud services like Evernote or Dropbox." Ok, but where is the corresponding entry in the "Do" section, which tells folks how to store sensitive information? Especially in a way that permits more than one person to access and use the information, which is key to how both journalists and activists work?
There might not be a "good" answer. But recognizing that people have to work, there is probably a sense of "better" or "best for now". Maybe that's the format:
Don't | Better
Don't use your fingerprint | Use a long passphrase
to lock/unlock devices | to lock your devices.
> Use your fingerprint to lock/unlock devices.
> Use an Android phone.
> Take the devices you work on across the US border.
Anyone has experience with their devices being searched at the border? Do they just look at your social media and let you go or do they somehow copy the data on the devices or install any software on the devices? Will the persons devices always be in visibility or do the CBP officers handle them in separate rooms?
Assuming I have to carry my laptop and phone across the border, what precautions can I take to minimize the potential privacy violations? After crossing the border, do I just reinstall my OS of choice (Ubuntu) from scratch and reset all passwords?
Regarding the browser recommendation, why is Firefox not recommended? It's used in the Tor browser and I have not heard of any major security incident recently with Firefox.
Fingerprints have a different and weaker legal standard than passwords to protect them
It may be possible to get a secure Android phone, however, it is unlikely that the one you have is. Varying levels of quality for disk crypto and TPM key storage will do you in.
> Take the devices you work on across the US border
Any data or passwords you have on you is data you could lose, get forced to cough up, etc.
> Assuming I have to carry my laptop and phone across the border, what precautions can I take to minimize the potential privacy violations?
Put an encrypted blob on [name a cloud provider]. Download it once you cross through customs.
> why is Firefox not recommended?
Because Firefox has no sandbox and gets routinely exploited by Law Enforcement
> It's used in the Tor browser
The Tor Browser is an abomination.
> I have not heard of any major security incident recently with Firefox.
You have not been paying attention. Maybe consider accepting the advice of experts?
It would be great to have a few of these issues sourced in the comment (and your comments on the Tor Browser expanded with some reasoning) just so everyone is on the same page. I've seen some exploits with Tor Browser but I thought they'd be mostly sorted out.
I get that Chrome has some more mature sandboxing code, but I must admit I'm not a fan of how it handles a lot of things including download behaviour (http://security.stackexchange.com/q/145808 and https://scarybeastsecurity.blogspot.co.uk/2016/11/0day-poc-r...), Firefox at least does a better job here.
I agree with the advice for border passage, only thing that makes this difficult is the state of upload speeds.
Don't use Tor Browser.
Do you have any links you can share to best practices for setting up this secure TOR client instead of using the insecure TBB as explained above?
The TBB has the Tor client and a browser (a slightly tweaked Firefox) configured to connect via the Tor SOCKS proxy rather than via the standard network.
Nothing on the article's website suggests an affiliation or particular interest with security issues. This kind of patronising tone directed at people asking for help is the single most unpleasant part of the IT security industry.
It's not just the US border, any border they can request you open up social media accounts or walk away with your laptop or phone and return it later filled with spyware. Business trips from here to China always involve buying a new phone and wiping/selling it on Craigslist after you return assuming it's been compromised.
Seems like if you assume a phone is compromised, it would be immoral to sell it to someone else without full disclosure of your concerns.
I don't mean anything against tptacek personally, but without any substantial grounding this is as good as believing Keith Alexander/Michael Rogers/Vladimir Putin/Osama bin Laden/coin toss. In fact, coin toss might be the most secure of all, as I surely know it doesn't try to fool me on purpose.
Look elsewhere in this thread for "why not use an Android device."
Don't carry your work devices across the US border because they may be taken, can be taken out of your view, and may be duplicated (and yeah, you should have FDE on your computers etc., but don't take the chance).
But other countries (including Canada) can.
There's a reason that pwn2own (the hacking competition) has much higher bounties for finding Chrome vulnerabilities than finding Firefox vulnerabilities - http://blog.trendmicro.com/pwn2own-returns-for-2017-to-celeb...
Not a good advice for any public place (airports, cafes, etc). Very easy to listen to BT and intercept passwords as user types them in.
It's worth the risk to get people to use a iPhone or iPad more routinely. Also, the risk of this is exceedingly low because an attacker needs to actively interfere with the pairing process and be physically present for collection. This attack doesn't scale like "It's Windows, go pull the hard drive and read everything on it." I've never heard of LE using active BT attacks and I keep up on these things.
Things I'll never make quite time to play with:
Specifically around BT keyboards they say this on one of their slides:
* Sniffing is possible but kind of “unstable”
* All pre-requirements for a successful PIN cracking
can only be sniffed during pairing
* Complex documentation
So overall, not awful, but not fabulous either. Luckily most BT keyboards are severely limited in range (~ 30 feet max).
This is all from 2010, but is the latest source(s) I can find.
(if it is true that some (relatively modern) bluetooth keyboards are sniffable and some aren't, I'm sure you can convince them to amend the article with specific models that are believed to be better)
I acknowledge that the situation with Bluetooth peripherals is complicated† and accept that there are probably a bunch of vendors that are unsafe to use. It might be reasonable to simply require Apple peripherals --- not because they're the best, but because Apple is more accountable to peripherals security than most other vendors are.
On the other hand, what we can't reasonably do is create a Bluetooth Keyboard Product Guide in a simple set of security recommendations. Not only will it not be effective, but it will discourage the audience, who will fall back to their previous insecure configurations.
So I'd ask to what extent we think Bluetooth sniffing attacks on journalists are a spy movie threat. No matter what device they use, simply by using a wireless device as an input, they're exposing those inputs to timing as well. But then, as well, Apple's software update could be targeted too.
The basic idea behind the "use a Bluetooth keyboard recommendation" is, I presume, to convince people who would otherwise use computers to do sensitive work to instead use an iDevice. That's a very sound security principle; those iDevices are far more secure than the median fully-functional computer.
If I had to pick between telling a journalist to use a random Bluetooth keyboard with an iPad, or use a Macbook or Thinkpad, I would have a hard time deciding, but I think I'd ultimately go with the random Bluetooth keyboard --- there are too many different ways the computer can be undetectably (to a typical user) owned up, and only one fairly elaborate scenario where the BT keyboard will screw them.
What I'm learning from working with at-risk normal users is that a lot of security steps we all take for granted are simply not on the table for the people who need security the most.
† Way more complicated than the people claiming "Bluetooth keyboards are trivially sniffable" are letting on
In my experience, people, especially people with budgets like most mainstream journalists and lawyers, want a list of specific things, best of all SKUs, they can buy that will give them the most security.
IME this greatly overestimates how hard this is for typical end users.
Imagine if you were asked to understand and implement a technical legal function. Maybe you could do it, but it would not be trivial, you'd have to figure out what the heck it meant and what was going on, and then try to implement it. You would need to hope you received good advice, because you have no way of discerning good from bad, and that the instructions were accurate, clear and complete.
At HN we are inside a bubble where these thing are trivial. As another analogy, appendectomies may be trivial for surgeons but incredibly difficult for me.
A USB keyboard is almost certainly easier to secure though.
* These lists are often made but are never kept up to date as recommendations change. Will this list be any different?
* Use Gmail? We can't pick some other web based, 2FA capable non-US hosted service that doesn't specifically use machines to scan your content for ad serves? This recommendation was the only one that furrowed my brow.
Yes: if you are using email at all, you should use Google's email service. Virtually every concern you'll state about using Google Mail is better articulated as a concern about using email at all (especially because 90% of the people lawyers and activists communicate with also use Google Mail).
If you want, instead, to militate against using email at all, I'll agree and also tell you that I expect this guide will get clearer about that.
Only other thing I can think of is google being more secure by virtue of being bigger.
How many organizations globally are doing research like that?
Google can change or ignore its policy at any time, without telling you. Depending on your level of risk, you might not want your security to depend on someone else's goodwill, especially someone for who has very many, much larger concerns than you.
Will Google forgo massive government contracts to protect you? Risk expensive lawsuits? What if you are politically unpopular; will Google risk its reputation for you?
How does one transfer information if they can't transfer anything across the border?
Where should one store sensitive information? An encrypted drive you're not supposed to transfer across the border?
I'm not really sure what a person is supposed to do with either of those two recommendations, especially if we're saying that person is not tech-savvy. I think these will just be ignored because they don't seem very viable and require a lot of background knowledge and planning.
Also, why is Chrome preferred to Firefox? I generally assume Chrome is listened to by Google across the board, and it still lacks something like NoScript. Chrome doesn't seem to do block XSS well, either.
Similarly, why Gmail as opposed to, I don't know, something like Protonmail or the like? Safety behind big company, reliability, viability?
Why Chromebook and not just a normal Linux?
The inherent trust in Google in this list confuses me.
And 1password over KeyPass. It seems every cloud-based password manager has been hacked in a round robin fashion, but I guess this solves the other cloud based problem.
2. Because Chrome is significantly more secure than Firefox. See: rest of thread.
3. Because no email provider is truly safe, and Google's mail service is better defended than virtually any other mail provider. Things like Protonmail are security gimmicks. If you're concerned enough about messaging safety to use some idiosyncratic email provider, you're concerned enough to stop using email for secrets altogether: use Signal, WhatsApp, or Wire.
4. Because a Chromebook is safer for a typical user than Linux, and also because there's a (remote) chance that people might actually use a Chromebook. The security challenges of 2017 are not an opportunity to finally achieve Linux On The Desktop.
5. The list's most contentious recommendation is a rebuke to Google.
6. Standalone 1Password isn't a cloud-based password manager. People should avoid cloud-based password managers.
It's kind of a pain in the ass sometimes (I can only sync at home) but the upside is no cloud component and it syncs nicely and automatically between multiple machines.
For mobile devices, I use the Wifi sync mode.
In Canada you can be put in prison for 1 year if you don't give up your password at the border.
Firstly, the CBSA action was never tested in court. Failure to divulge information hasn't been defined as 'hindering' before. The case would probably have to go to the Supreme Court of Canada for it to be decided.
Secondly, even at the border you can choose to remain silent.
See linked page for advice from actual lawyers.
The most likely worst outcome is you get refused entry if you are not Canadian.
are you trusting google or not?
But if you store the content of those messages with a cloud provider--regardless of which company--you have killed a lot of security value. The plaintext will sit there, just waiting for someone to go get it, and you'll never know if they do.
Email does not work that way. Even if it is encrypted in transit, it is always stored in plaintext in servers at either end. So, taking that into account, which email service provider has the best security team to defend that plaintext. This guide argues it is Google.
Or try Firejail https://firejail.wordpress.com/ (Linux) or possibly Sandboxie on Windows https://www.sandboxie.com/
>1. Don't send any sensitive information by email.
>2. Don't store sensitive information in cloud services like Evernote or Dropbox.
Both of these are good advice.
However, what I don't see is "how to share information securely". The intended audience surely needs a way to exchange information, e.g. documents but what are the recommendations on how they should do this?
>Carry a “USB data blocker” (either the whole cable or an adapter that plugs into your cable like this) to charge at airport or hotel chargers.
I would suggest that SyncStop is recommended instead of the current device on the basis that SyncStop is created and sold by a security company that specialises in hardware security. It is also recommended by Mikko from fsecure.
The contrast with Snowdens recommendations is quite stark: https://theintercept.com/2015/11/12/edward-snowden-explains-...
Things that seem more important^:
- Well known and vetted data structures/algorithms etc
- Vulnerability history
- Large install base
- well regarded, well funded security team vetting the project
- capacity and history of fighting expensive legal battles on behalf of its users.
Its possible that there are android phones that meet these criteria but there are many that do not. The iphone on the other hand does. So rather than having very specific android phone recommendations its generally easier to just say use iPhone. So much so that most of the security professionals I've talked to view it as the most secure, commonly available computing platform period.
^Not a security professional, but I drink with a couple.
iPhones are easy to setup and hard to fuck up. You use DEP and it arrives from the factory with a signed profile for your organization. You deliver it to the user, they sign in, and the MDM takes it from there.
With Android, forget it. They were at the time using LUKS for FDE, and there's no segmentation in the OS. So you need need a third party container solution (either from Samsung or another vendor) to protect your data. So you need a pre-boot password, device passcode, a container password, and possibly more. It's a real shitshow.
Apple lets you take the same level of control that a company would have for free with the Configurator app as well.
The real glaring issue here is that we don't really have good, safe services or devices available to us, especially if you want to stay plugged in (have access to the internet, social media, and necessary tools). Pretty much everything is owned by a corporation or compromised or both.
I'm not really convinced that much is gained by using one browser or phone over another at the end of the day. If someone really wants your information, and you're connected to the world, they'll figure out how to get it.
Maybe there is a better security guide for a bit more technical people? With why's and how's, explaining what are the real issues and causes of some practice being bad, and what are the possible solutions to it. Why is Android bad? Is it solved by stripping out google services? How do you do it properly? Is it solved by replacing an Android phone with iPhone? Etc. Without any of "jumping into the snake-pit is so bad, that jumping straight into the fire is probably better". Probably better, huh.
It could be the case that iPhone users are more high value targets. IMHO It's more likely iPhone exploits are just harder to come by. (not impossible, just tougher)
This one breaks my heart a little.
I mean, I get it, I understand why it's there. But it still breaks my heart.
1. For "Do as much of your work as possible on an iPhone or iPad." -- as opposed to what? Android and Windows? Would listing device options be a possibility?
2. Possibly: add a set of suggestions for transporting device(s) across borders or acquiring them. I suspect mail or package delivery might be an option -- or if it's not, then clarifying the risks would be of interest.
3. Operating systems: A list of most to least secure might also be handy. E.g., WinCE, Windows, MacOS, iOS, Linux, TAILS, etc. Some indication of where "good enough" starts to apply.
4. Out-of-scope for document to include a full set of terms and definitions, but a glossary with links to additional reading might be of interest.
5. Providing "why" links might also be useful. E.g., Fingerprints (can be forced to divulge, fewer legal protections than passwords).
6. Formatting: A bulleted list would be slightly easier to read. A numbered list can be specifically referenced (e.g., "'Don't' #4 ...").
7. Define terms. E.g., "Long password" "At least 20 characters, 200 if possible", say. Tips on passphrase generation (e.g., xkcd passphrases, "correct battery horse staple".
Finally: thank you for setting this up.
2. Any concrete advice about crossing borders is hard to give right now. The goal in this document is just to alert people that it is not OK to travel with your work device.
3. For the audience here (think someone providing legal aid at an airport) this is too technical.
4,5,6 Great idea, thank you!
7. It's funny but the XKCD really seems to be the best thing to link.
1. Windows laptop, I take it? Or any laptop?
2. Even if specifics are hard to provide, a pointer to best information, a clear statement that "Any concrete advice about crossing borders is hard to give right now" (in fact that exact phrase strikes me as excellent), and perhaps a pointer to a larger document with laws pertaining to specific countries. Ranked, say, by interest and/or travel volume. World Bank has listings: http://data.worldbank.org/indicator/ST.INT.ARVL?year_high_de...
3. Even people providing legal aid may have support teams who could assimilate the information. Out-of-document link here. Think staged information delivery.
7. It's an effective format for communciation. There are several generators (caveat emptor) as well. For MacOS, it would be easy to create a local generator using wordlists (I've done same on Linux). The problem is actually that the system dictionaries are generally too comprehensive and have really obscure words in them. A GUI wrapper around a Very Simple Shell Script would tend to give good outputs.
(Especially without saying to use only FOSS OS)
As it happens, I use an Android phone as a daily driver. But I'm not a journalist and I'm not handling data that isn't sensitive to anyone but myself. I'm willing to take that risk (edit: and I'm able to, to a level I'm comfortable with, mitigate those risks, which a non-technical person probably can't evaluate safely, to say nothing of implement). But I'm not a journalist whose sources may depend on me.
I didn't say the authors are selling snake oil. But if a person doesn't know much about a subject, they may not be able to tell, and they should be suspicious. They might want to see a review or criticism of it. They might want to verify that it's well intentioned, especially on a sensitive subject such as this. There's nothing zany about that, it's common sense.
If I find some information source that presents itself as an arbiter of truth, but has no justification for its points, I cannot in good faith recommend it to anyone.
The only angry one here seems to be you, with many unnecessarily rude responses that do not at all inspire confidence.
Much of the audience that has the expertise to effectively verify the wisdom of the advice in such a document will have already encountered the views it contains and will be familiar with the reasoning behind those views already. None of the guidance in the article is likely to be something they're hearing for the first time. Even if they disagree with something in the article in whole or in part, they already know why the people who compiled the article likely believe it.
It is good for there to be more detailed explanations for interested non-experts, and there have been a number of more detailed explanations of many of these items elsewhere on the internet. But for most people it's more important to know that, for example, a recent iPhone is their best choice for a secure phone than it is to know the details of why experts on the topic have come to that conclusion, just like it's more important for most people to take a flu vaccine each year than it is for them to understand the process by which that vaccines was formulated.
Be aware, that on Google's Android every app in the background has access to the clipboard. And Google refuses to fix that. It is fixed in CopperheadOS afaik.
I understand Google runs a tight ship security-wise, but what about the unintentional information leakage that occurs because they read all your mail to serve you ads?
Gmail is reasonably secure in situations that actually occur frequently. No other providers are. But even Gmail is optimized for adoption and monitization over security, so it's security efforts only go so far, particularly when interacting with other email providers.
Is Gmail really the most secure email provider? I am sure it is not for non US citizens. But is it for US citizens. Don't you have better?
We build a tool specifically to help non-profits and journalists learn about and manage their digital and physical security on the move. It's called Umbrella App. It's free, open source, on Android and contains tons of lessons on privacy related issues like digital and physical security. Umbrella has everything from how to do basic stuff like communicate with basic tools like Signal to sending a secure email with PGP. However, the unique bit is we also have stuff on the physical side, like how to plan travel, cross borders, set-up a secure physical meeting, deal with detecting surveillance, covering a protest, respond to a kidnapping etc. Basically we have tried to make it a bit of a one-stop-shop for security for regular people, activists, refugees and journalists. We also pull security feeds from places like the UN, Centres for Disease Control etc - which is obviously very important to folks in places like Syria or affected by Zika/Ebola.
There’s tons of really relevant stuff in it, especially for those now mobilising for the first time on some issues. Loads of people are writing guides that solve small parts of the puzzle but we have tried to provide the whole picture in the one place.
Google Play Store:
Amazon App Store:
Hope some folks here find it useful/interesting!
Ends blatant plug
This is a major claim to be making, and it is false. It is not helpful to spread misinformation like this.
Bruce Schneier has said while large government actors may be able to exploit it, it's still recommended: https://www.theguardian.com/world/2013/sep/05/nsa-how-to-rem...
There is evidence that encrypted traffic was stored and research was done on the metadata of these connections but that is no surprise. That may be what they were referring to.
And there simply aren't any better alternatives for encrypting emails or files for transmission. I'd love to be wrong about that, but I haven't seen anything.
It won't work for everyone - Slate's CMS is notorious for only working in Firefox, for example - but if Pro Publica is going to hire 30 journalists, then be their vendor.
I don't think I'd be able to trust any individual or company selling 'secure devices' for journalists and activists.
(Once more for the folks in the back: fingerprints are usernames. Passwords are things you can rotate.)
Of course in places without something like the 5th, and you lie a few times, your death may find you quite quickly, there is at the very least an option... With a fingerprint, no options. Have a picture of your finger and game over.
Your fingerprint is an attribute of you and has no such protection.
As far as "ur own pgp enigmal with riseup" goes: how are you going to get people to email you? Are you, a journalist, going to manage SPF/DKIM and make sure you're doing it right? How are you going to manage antispam? Gmail is not perfect--but unless the totality of your threat model includes getting black-bagged because an NSL found encrypted emails in your inbox, it is probably the best option. (Protonmail is fine too, but increases friction--and increased friction increases the likelihood that you're not going to use it, falling back to easier tools.)
WhatsApp: either that or Signal are fine (and, indeed, run the same protocol!). XMPP relies largely on federation, which relies on federated servers not being compromised, so no, that's out. (I haven't looked at Silence, can't speak to it.)
Chromebooks are a decent option for some use cases, unless (as more and more journalists tend to do) you need something that can easily and effectively edit audio and video. Tails/Whonix/especially-Qubes are not because people need their stuff to actually work and to not spend more of their time fighting their computer than doing their jobs; to that end, a properly patched OS X is a pretty reasonable call.
"Getting real here" means finding a workable place on the do-your-job/security curve, and most of what you're saying is not. For example, of course you would "use social media", because that's a large part of the job of a journalist in 2017. Your recommendations, while (I assume) in good faith, indicate a willingness to invest more time in fighting your stuff than doing your job. Nobody else cares. Recommend what's easy and what gets 95% of the way there (and not, as with something like CopperheadOS, actually detracts).
This is wrong. You absolutely must use an ad blocker or noscript extension if you intend to browse the web securely.
If I was using Firefox or IE, I would agree with you. But step one here is not to be using un-hardened browsers.
GPA is great, but the premise behind this guide is that if you're relying on passwords for Google you're already boned. It's a security win even with TOTP enabled, but I don't think it's enough to earn a spot.
These guidelines are being distributed to activists and journalists along with free U2F keys, for whatever that's worth.
IME, it breaks too many sites to give to all end-users; if the default configuration omitted sites listed as 'Partial'; maybe it would be passable. Maybe have a subcategory for intermediate users and put it there. Novice-level users (for lack of a better term) have no idea why the website is not working, and thus don't even know to consider disabling HTTPS Everywhere.
Also, it makes the user easier to identify.
Chromebooks are made by Google, who is also a known partner ni these programs.
It all comes down to who you trust, and recommending that Journalists use iOS Devices and Chromebooks made by Apple and Google who are known snoopers is a bad bet if the thing you're trying to avoid is the US Government.
Also, bluetooth keyboards are trivial to listen in on. Not a great recommendation.
This article is short but bogus.
Step 2: The rest is easy.
Edit: You guys need to get a sense of humor