Can someone explain the reasoning behind these recommendations?
Don't :
> Use your fingerprint to lock/unlock devices.
> Use an Android phone.
> Take the devices you work on across the US border.
Anyone has experience with their devices being searched at the border? Do they just look at your social media and let you go or do they somehow copy the data on the devices or install any software on the devices? Will the persons devices always be in visibility or do the CBP officers handle them in separate rooms?
Assuming I have to carry my laptop and phone across the border, what precautions can I take to minimize the potential privacy violations? After crossing the border, do I just reinstall my OS of choice (Ubuntu) from scratch and reset all passwords?
Regarding the browser recommendation, why is Firefox not recommended? It's used in the Tor browser and I have not heard of any major security incident recently with Firefox.
Fingerprints have a different and weaker legal standard than passwords to protect them
> Use an Android phone.
It may be possible to get a secure Android phone, however, it is unlikely that the one you have is. Varying levels of quality for disk crypto and TPM key storage will do you in.
> Take the devices you work on across the US border
Any data or passwords you have on you is data you could lose, get forced to cough up, etc.
> Assuming I have to carry my laptop and phone across the border, what precautions can I take to minimize the potential privacy violations?
Put an encrypted blob on [name a cloud provider]. Download it once you cross through customs.
> why is Firefox not recommended?
Because Firefox has no sandbox and gets routinely exploited by Law Enforcement
> It's used in the Tor browser
The Tor Browser is an abomination.
> I have not heard of any major security incident recently with Firefox.
You have not been paying attention. Maybe consider accepting the advice of experts?
Adding: the Tor Browser might be the least safe browser to use of all available browsers that can be installed on modern computers. It is a perfect storm of "inferior security design" and "maximized adversarial value per exploit dollar spent".
And what about TAILS? It has a separated/modified Tor Browser. If I frequent a certain site and LE knows that I know I can be exploited, but what if I'm an activist who puts the TAILS USB in his notebook, boot from it, then publish an article on medium.com with a freshly created account. Will LE be able to exploit me?
The comment I just wrote says why, succinctly. It helps if you understand the economics of browser exploit development, and then remind yourself that TBB collapses a whole set of valuable targets down to a single release chain.
The TOR network is a network: you can access it using any web browser and the TOR client + a local web proxy. Use Chrome and configure it to use the local web proxy, now you're accessing TOR using Chrome.
The Tor client is the software which runs the 'onion routing' part. This provides a local network port which is your wormhole into the network; this is called a SOCKS proxy.
The TBB has the Tor client and a browser (a slightly tweaked Firefox) configured to connect via the Tor SOCKS proxy rather than via the standard network.
I was disappointed last time I booted up TBB to see they had security by default set to 'Low', which enabled lots of unnecessary stuff, like javascript on for every site by default. Too many content parsers trying to do stuff with untrusted data. Its pretty poor.
> You have not been paying attention. Maybe consider accepting the advice of experts?
It would be great to have a few of these issues sourced in the comment (and your comments on the Tor Browser expanded with some reasoning) just so everyone is on the same page. I've seen some exploits with Tor Browser but I thought they'd be mostly sorted out.
> You have not been paying attention. Maybe consider accepting the advice of experts?
Nothing on the article's website suggests an affiliation or particular interest with security issues. This kind of patronising tone directed at people asking for help is the single most unpleasant part of the IT security industry.
It's not just the US border, any border they can request you open up social media accounts or walk away with your laptop or phone and return it later filled with spyware. Business trips from here to China always involve buying a new phone and wiping/selling it on Craigslist after you return assuming it's been compromised.
What can I subscribe to, to hear about news like that in a more systematic fashion? I mean, monitoring all CVEs might be a little to much for somebody who isn't full time security professional, but there surely must be some reasonable compromise between that and position like "this browser is secure because tptacek said so".
I don't mean anything against tptacek personally, but without any substantial grounding this is as good as believing Keith Alexander/Michael Rogers/Vladimir Putin/Osama bin Laden/coin toss. In fact, coin toss might be the most secure of all, as I surely know it doesn't try to fool me on purpose.
US-CERT publishes alerts on vulnerabilities affecting common software. Several RSS feeds available. They also have weekly vulnerability summaries for a wide range of software.
Border patrol cannot force you to divulge a PIN or password. They can force you to apply your fingerprint.
Look elsewhere in this thread for "why not use an Android device."
Don't carry your work devices across the US border because they may be taken, can be taken out of your view, and may be duplicated (and yeah, you should have FDE on your computers etc., but don't take the chance).
They might not be able to force that on US citizens, who have an absolute right both to habeas and to enter the country. They can force it on nonresident aliens.
Don't :
> Use your fingerprint to lock/unlock devices.
> Use an Android phone.
> Take the devices you work on across the US border.
Anyone has experience with their devices being searched at the border? Do they just look at your social media and let you go or do they somehow copy the data on the devices or install any software on the devices? Will the persons devices always be in visibility or do the CBP officers handle them in separate rooms?
Assuming I have to carry my laptop and phone across the border, what precautions can I take to minimize the potential privacy violations? After crossing the border, do I just reinstall my OS of choice (Ubuntu) from scratch and reset all passwords?
Regarding the browser recommendation, why is Firefox not recommended? It's used in the Tor browser and I have not heard of any major security incident recently with Firefox.