Hacker News new | past | comments | ask | show | jobs | submit login

> Use your fingerprint to lock/unlock devices.

Fingerprints have a different and weaker legal standard than passwords to protect them

> Use an Android phone.

It may be possible to get a secure Android phone, however, it is unlikely that the one you have is. Varying levels of quality for disk crypto and TPM key storage will do you in.

> Take the devices you work on across the US border

Any data or passwords you have on you is data you could lose, get forced to cough up, etc.

> Assuming I have to carry my laptop and phone across the border, what precautions can I take to minimize the potential privacy violations?

Put an encrypted blob on [name a cloud provider]. Download it once you cross through customs.

> why is Firefox not recommended?

Because Firefox has no sandbox and gets routinely exploited by Law Enforcement

> It's used in the Tor browser

The Tor Browser is an abomination.

> I have not heard of any major security incident recently with Firefox.

You have not been paying attention. Maybe consider accepting the advice of experts?

> You have not been paying attention. Maybe consider accepting the advice of experts?

It would be great to have a few of these issues sourced in the comment (and your comments on the Tor Browser expanded with some reasoning) just so everyone is on the same page. I've seen some exploits with Tor Browser but I thought they'd be mostly sorted out.

I get that Chrome has some more mature sandboxing code, but I must admit I'm not a fan of how it handles a lot of things including download behaviour (http://security.stackexchange.com/q/145808 and https://scarybeastsecurity.blogspot.co.uk/2016/11/0day-poc-r...), Firefox at least does a better job here.

I agree with the advice for border passage, only thing that makes this difficult is the state of upload speeds.

It would be great to get detailed citations from experts on any thread, but we can't always get what we want.

Adding: the Tor Browser might be the least safe browser to use of all available browsers that can be installed on modern computers. It is a perfect storm of "inferior security design" and "maximized adversarial value per exploit dollar spent".

Don't use Tor Browser.

And what about TAILS? It has a separated/modified Tor Browser. If I frequent a certain site and LE knows that I know I can be exploited, but what if I'm an activist who puts the TAILS USB in his notebook, boot from it, then publish an article on medium.com with a freshly created account. Will LE be able to exploit me?

Why exactly?

The comment I just wrote says why, succinctly. It helps if you understand the economics of browser exploit development, and then remind yourself that TBB collapses a whole set of valuable targets down to a single release chain.

Does make sense. Any advice on best way to access the Tor network, if not the Tor Browser?

The TOR network is a network: you can access it using any web browser and the TOR client + a local web proxy. Use Chrome and configure it to use the local web proxy, now you're accessing TOR using Chrome.

@munin can you clarify is "TOR client" the same as "TOR Browser" downloaded here[1] or is it something different?

Do you have any links you can share to best practices for setting up this secure TOR client instead of using the insecure TBB as explained above?

[1] https://www.torproject.org/download/download-easy.html.en

The Tor client is the software which runs the 'onion routing' part. This provides a local network port which is your wormhole into the network; this is called a SOCKS proxy.

The TBB has the Tor client and a browser (a slightly tweaked Firefox) configured to connect via the Tor SOCKS proxy rather than via the standard network.

I was disappointed last time I booted up TBB to see they had security by default set to 'Low', which enabled lots of unnecessary stuff, like javascript on for every site by default. Too many content parsers trying to do stuff with untrusted data. Its pretty poor.

> You have not been paying attention. Maybe consider accepting the advice of experts?

Nothing on the article's website suggests an affiliation or particular interest with security issues. This kind of patronising tone directed at people asking for help is the single most unpleasant part of the IT security industry.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact