Wednesday, July 29, 2009

A Protocol for Visiting China (or DEFCON)

The following is my computer protocol for visiting a hostile environment. I actually designed it under the threat model of "What if I needed to visit China", which requires facing two nation-state adversaries (the US and Chinese government) which may have legal access to the computer, but I use it for going to DEFCON.

It may actually be overkill for DEFCON, but as they say "There is kill, and there is no kill, there is no such thing as overkill". I wanted something I knew could work.

The philosophy is twofold, the first is system hardening, while the second is constraining the damage a compromise could do.

I begin with a clean OS install on a newly formatted hard drive. The system is brough fully up-to-date and necessary tools are installed (Firefox, Bro, Click, ipsumdump, Tex, etc) that I will need during my trip. Plastic MacBooks are especially nice, as the hard drive is trivial to change.

I then segregate data. I create a new account on a server I have access to. This account has a new password, and is accessed through a new SSH private key. I create a version control archive on this account which I can also access from my normal account(s), and use this to store the entire working set I will need during the trip, but no more.

Finally, I set up my web browser. I use NoScript, disable flash, disable Java, and tunnel all traffic through SSH. (I use both browser hardening and a tunnel because its easy to screw up and have traffic escape a tunnel, eg, by forgetting to set Firefox to also tunnel DNS through SSH).

This works not because what is present, but what is absent. I do not have access to my mail accounts, normal public keys, or full working set. Not only do I harden my system, but I explicitly limit the working set so that a compromise minimizes the damage. If I need email access during the trip, I will set up a new Gmail account and forward my mail to the new account.

And once I do that, no worries! I may be on a hostile network, but I've taken steps to minimize my vulnerability surface. But I know I'm not perfect, and who knows what zero-days are lurking in my computer. Thus I've limited the potential damage from a compromise: you can't compromise data that doesn't exist.

No comments: