Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/02/border-digital-safety-for-journalists.html

The CPJ, the “Committee to Protect Journalists”, offers some horrible advice [*] on Digital Security, especially when crossing the border.

The most important piece of advice I can give you is this: if somebody’s life depends upon it, then no simple piece of advice, no infographic, is going to help you. You have to learn about cybersecurity enough to make intelligent decisions for yourself. You have to make difficult tradeoffs yourself. Anybody giving you simple advice or infographics is a charlatan.

So I thought I’d discuss what’s wrong with the following infographic:

I. Passwords, managers, and two-factor

The biggest issue is don’t reuse passwords across different accounts. If you do, when hackers breach one of your accounts, they breach all of them. I use a simple password for all the accounts I don’t care about, then complex unique passwords for all my important accounts. I have to write them down on a piece of paper I’ve got hidden at home, because sometimes I forget them.

Password managers certainly help you have multiple strong passwords across many accounts. On the other hand, it puts all your eggs in one basket, and the police can grab them from the company.

Two-fact can help, but hackers have shown they can intercept SMS messages to your phone number.

One problem you have to deal with is that going through border control, they’ll ask for all your social media passwords. If you are using two-factor authentication (SMS to a phone) then it won’t do them much good having the passwords. Not having your phone with you while your cross the border isn’t hard. You can use a separate Google Voice phone number (free) which you disconnect form your phone before traveling across the border, and reconnect when you get back home. You can also use a cheap $3/month account (like one of the M2M/IoT SIMs) on a second phone.

II. Encrypt laptop and screen lock

Border control, law enforcement, and smart criminals can bypass the “screen lock”. This is practically true for MacBooks (with their Thunderbolt ports), they’ve got the tools to do this with ease. This is theoretically true for Windows, though without Thunderbolt or Firewire, I don’t know how to easily break out the screen lock on most of them.

The upshot is that before going through border security, power off your laptop completely.

Encrypting your laptop is excellent advice, but you are still likely to fail at this. In all likelihood, you are going to choose a weak password that can be “brute-forced” (guessed) by the police. Or, you are going to setup a “password recovery” feature where the police can get your password by subpoenaing Apple or Microsoft. Describing how to do this well requires multiple pages of text.

III. Use Signal or WhatsApp

Using Signal is good. However, they still get the metadata who you are talking to. Also, using Signal in a foreign country makes you stand out, because only people with something to hide from the police use Signal. Using WhatsApp is better, because lots of people use WhatsApp for normal day-to-day chat. These are the sorts of subtle issues you have to think through.

IV. Secure Browser

On the phone, use Brave. It’s like having Chrome with HTTPS-Anywhere and uBlock origin built in, getting rid of privacy tracking cookies and ads. Indeed, one of the engineers of HTTPS-Anywhere is one of the principle engineers of Brave.

On a laptop, either configure the browser to forget all cookies when it exits, or use “incognito” mode a lot. Features that secure cookies aren’t as important as not leaving a cookie trail to begin with. I’ve got Twitter, Gmail, Spotify, and other privacy-identifying apps open in Chrome, but use “incognito” mode whenever I google search for something (like “weapons grade uranium”), so that the government can’t tie the search back to me.

Conclusion

Don’t take this post as advice what you should do.

Instead, the purpose of this post is to show the limitations of a simple infographic. While it’s not precisely bad advice, if you do what it says, you (the journalist in the case) will still divulge all your sources to border control when coming into the United States.

Bonus

The situations you are really confronted with are things like border control demanding access to your Facebook account before they let you into the country. How long are you willing to wait? They’ll certainly try to detain you long enough until you miss your connecting flight. Whatever security you have still depends upon how much pressure they can apply. If you aren’t willing to miss your connecting flight, no amount of security is going to help you.