[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 4241

File: 1487439638888.png (1.82 MB, 300x225, cbp.jpg)


United States CBP (Customs and Border Protection) wants your phone, your facebook, and your Twitter.

what OpSec do you perform to disrupt this effort?
what OpSec do you recommend to avoid/deter against this?

Rules of the engagement:
- CBP can detain you and search you with no suspicion.
- if you are a citizen, you have a limited subset of rights at CBP checkpoints. An attorney cannot help you here.
- CBP is authorized to use deadly force. most are heavily armored, well armed, and CCTV is in effect.

- CBP are not trained in infosec. many do not graduate beyond highschool education.
- explaining rights, laws, freedoms, etc... is discouraged. see above.
- technical descriptions or explanations should be abvoided. see above.


Really wana here the case where a citizen had neither three.
Have yet to hear of one reported incident...


Things like this should make it clear for everyone what their facebook accounts are actually not theirs. And they never was.

Best solution here is to have no accounts in social networks at all. And the only piece of electronics you can have in your pockets is a cellphone like Nokia 105 with numbers of your close relatives.

if they decided to search you - let them do that. And you must not fear.


In case i had closed my accounts in Facebook(+1 year) and twitter(+5 years), what I should do?I will get arrest?


I pretty ok with this. If you have a phone, you never should have sensitivity information in same.
**Sage for be off-topic.**


opsec is about separating personal and "professional" life,

Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence

I would not involve disruption. (also, i hope your not planning anything OP


>I pretty ok with this. If you have a phone, you never should have sensitivity information in same.
That's pretty fuarrrking dumb, because you can't use your phone without having sensitive information (your SIM card) on it.
Once they have your SIM, they can probably trace back your calls and messages, which, in combination with your ID, is pretty useful for building social graphs.


You need to pass the test CBP. In this case, you take only your "public" SIM you are using to call grandpa to say that you want to see him. This social graph can be built without your SIM-ID.


Lucky me. I don't have any of those.


Op here. Im disappointed.

>United States CBP (Customs and Border Protection) wants your phone

72 hours prior to your vacation involving US travel, execute a backup of your phone. in android:

adb backup -apk -shared -all

encrypt the backup and send it to a secure online site. Wipe your phone, enter customs, surrender your phone. after you arrive at your hotel, restore your phone.

>your facebook

the hint was that CBP are NOT trained in infosec. chances are excellent there are numerous profiles identical to your own. simply give them a name. if the individual is older, tell them it is a mother/father and that the account is shared as a family account due to dementia/health reasons. best solution: do not enroll in facebook.

>your twitter

best solution: do not enroll in twitter.

CBP are not forensics experts and the bar for employment is quite low. if you're a citizen you can give them fake employers and fake job titles, fake attractions at foreign countries and fake hotel names. Most cant find the city or country you're claiming on a map, and if its after midnight theyre easily just as tired as you.

winrar. Remember, you've done this a hundred times. youre not scared, just jetlagged from the flight.

perhaps its a strong word, you're right. to interrupt the normal progress or activity of CBP in that I meant you would not blindly acquiesce your personal information but merely appear to do so.

metadata collection is already happening. nothing here will stop that.


Retroshare or IRC+Tor or Pidgin+OTR on Hidden Crypted Volume. The hidden volume is important. They can/could force you to unlock your phone/laptop. If you can open it and show that it is "functioning" then they're not likely to look deeper.


Yeah social graphs are great but that is, again, why you don't mix business with pleasure.



If we're talking opsec here, don't use your phone for anything ops related.

You don't get fuarrrked by one large thing (usually, that is), just a chain of smaller things like this.


>encrypt the backup and send it to a secure online site. Wipe your phone, enter customs, surrender your phone. after you arrive at your hotel, restore your phone.

This is easily the best way to go about this. Yes, you will have to put your data online, but with strong encryption and a long and well-chosen key that shouldn't be a problem. I guess you could also SSH into a server you have physical control over to do the transfer for added security.

This method also makes it so you don't have to lie if they ask you if you have anything hidden/encrypted on your devices.


Don't carry sensitive information through the border.
Buy a new phone for border crossing only, use it marginally to make it look legitimately like a personal phone. Assume a rootkits' been installed after handing it over to the authorities. Don't use it for actual business.

Make arrangements to buy a new phone and/or laptop after crossing, and restore your data from anywhere, really.

Keep some social media accounts around as cover.
Don't put any compromising information on it.
Keep the amount of sites linked to your accounts minimal.

In short, be prepared to cooperate fully; Don't say no to anything, and expect everything with your name on it to be searched.

Your exact arrangement will depend on what you're trying to hide, and what the consequences for exposure are, but unless you have to travel on a single days notice, you should have plenty of time to think this through.


Friendly reminder that they don't need to even find anything about you to deny you access to the US. They can just decide they don't trust you and turn you away. Americans are confused and angry when this happens to them at a foreign border but your guards do it to us all the time, so much so that we spend hours or days getting our stories and appearances right beforw making an attempt. At least I used to...

I only have 1/3 but I was probably unable to visit the US again anyway and with this new administration it's pretty much guaranteed for many years now.


You know having social media accounts basically guarantees that there's a way to trace you. The fact of that really bother's /scares me. And what's even worse is that it legit freaks out some of the people I meet that I don't haven't used social media.

I use a flip phone personally so the thing easy to dump. Anything too sensitive goes down on it I carry sim cards and swap them. Maybe I'm just at tad too paranoid, but it's just what comes natural.


>"Am I being detained or am I free to go"


No matter how hard they try, they will never get social media accounts out of me that I do not have. I also doubt they can get much out of a feature phone that cannot even go on the internet, if I even bother carrying it at all.

Best bet is since you can already afford to travel outside the country anyway, just take no phone with you and buy a used burner phone in the foreign country you visit (or arrange for someone to get you one). Get rid of the burner phone when you decide to leave.


> You are free to go. Back to your country of origin, at your expense, and no the airline won't refund the other return ticket you already paid for.
> Also this will be added to the file we keep on every traveller attempting to enter the US and will haunt you forever every time you try to come back
> We hope you enjoyed your extremely brief visit to these United States.


>this man has no social media accounts for us to go through or a phone
>don't let him through then.


I think I can possibly make a pretty good pitch as to why I've never had social media without mentioning security. FB is a toy for children and it's absurd that adults think it's required now, not to mention I have better things to do than "like" people's cat videos all day. Twitter and other microblogs are destructive to people's attention spans and are nothing but junior high level popularity contests with 100 million more children involved. Humbug, etc.

I'm older than a lot of US border guards so I think I could pull it off.

Travelling without a phone though, in this day and age, that's a bit of a flag. If anything went wrong in a foreign country it's not like there's a payphone on every corner anymore.


wonder what happens if you don't have any.
encrypt the device. or wipe device & boot from encrypted removable media.


We've brought that up multiple times already and apparently no one knows the answer. It's probably fine if you're a senior citizen or from a technologically backward country but the suggestion of any other adult being off social media is probably suspicious. Like you have accounts but you're hiding them they'd likely say.

I also wonder if you're not a visitor who can be turned away on a whim but a US citizen coming home. They have to let you in in that case. How long would they detain you if you refused to open your phone for them? Hurr if u got sumfink 2 hide it must be bad amirite xD


Relevant: https://medium.com/@thegrugq/stop-fabricating-travel-security-advice-35259bf0e869#.zf2zm5jt1

Again, get a phone for traveling only, use it, and don't put any soykaf you don't want seen on it.

Keep an FB and Twitter and whatever for cover, and just keep your irl friends out of it. Anything else is just asking to get deported, or detained



90% of people are going to crosspollinate private/public social media accounts and phones. Any evidence of a lack of full disclosure will result in intense additional scrutiny.

Don't use a smart phone. Don't use social media. At most, limit yourself to linkedin if you are not currently employed in food service, and have public/private email.


So don't leave any evidence. Use your full name only on your specially curated social media accounts to avoid having to share more than you have to. If you're not a senior citizen, then telling CBP you don't have a Facebook account is also going to elicit an intense amount of scrutiny.


Why do people get anything other than say, a linkedin or профессионалы?

Do they actually give a soykaf about the useless facebooks reposts of lolcat and other such sites?

And how would one cross border without getting anything more than that. Just getting a hundred "friends" and doing nothing wouldn't work, but actually using it would a chore. How would one fix that? I hear facebook does stuff to prevent botting...


You have the phone locked and you dont tell them the password. You tell them you dont have social media.

Its not like they can use enhanced interrogation. They would only hack the phone if they found drugs on you, in which case you are already busted.



>As it stands today, Customs and Border Protection says it will not deny entry to those that refuse to submit any social media information

fuarrrk them, just dont comply at all to this kind of overbearing soykaf. It cant be enforced and only really narcissistic or gullible people would hand this kind of thing over willingly.

> The goal, the government says, is to “identify potential threats,”

>Join this "Friends of The Islamic State" group fam!


File: 1488475469528.png (866.9 KB, 200x140, spooked-burgers.gif)

This is expensive, ineffective security theater already being abused, which Snowden clearly documented. It hurts tourism, international business travelers with proprietary IP, and working professionals with confidential personal information. Source:

The "terrifying-men of ill repute" are widely known to use runners (not phones or laptops) for delivering critically sensitive information. Socialized paranoia costs taxpayers a massive amount of money to maintain. This is part of why burgers "can't afford" free health care and have increasing poverty and a widening wealth gap. Good luck avoiding further financial crises with rapidly accumulating "security" expenses and a significantly diminished international reputation for spying on everyone you do business with. Apparently burgers can now be scared into financial ruin.

A cheapo burner purchased at your destination is best if you absolutely need a "personal device" for phone access. Use voip for communication without incurring additional costs. International long distance calls are expensive and just as easily intercepted and recorded as Skype conversations. A burner connected to a local mobile provider is usually cheaper than international roaming fees.

If you refuse to consent to datamining your device for permanent archival, the authorities will confiscate your device and detain you for enhanced interrogation without legal representation. In current year you have zero rights at an international border crossing. The terrifying-men have succeeded in abolishing freedom and fuarrrking up the lives of everyone who travels internationally.

It's most secure to avoid bringing digital devices when traveling and be content with being disconnected. Nearly everyone you meet at your destination will have a phone/internet access anyways, so it's not as if you won't be able to borrow access in the rare event of an actual emergency.

As a "foreign alien" (ie: terrifying until proven politically aligned) you're being screened and monitored to the greatest extent technically possible. Remember that. Maintain eye contact, be polite, forthright, and honest about your intentions. Keep your explanations simple and to the point. As OP mentioned most people working enforcement jobs are poorly paid, politically conservative "adults" with a high school-level education. Keep that in mind while you're being probed for evil thoughts. Simple yes/no answers are ideal. Ambiguity is suspicious. "I don't know" opens you up to further questioning, which increases the risk of you contradicting yourself.

Social media is consensual surveillance. It's has no place in a free democratic society (LALL!). Delete that soykaf if you're still using it. Your real friends are people who you can interact with without being monitored and recorded.


File: 1488475921051.png (43.76 KB, 200x162, pphhhhhbt.jpg)


Just don't go to the US. It's not worth it anymore.


the EFF has released a guide on exactly this issue:
there's a link to the guide itself (html or pdf versions) as well as a printable, abridged "pocket" version on that page


You don't understand how the US border works. They don't need a solid reason to turn away any visitor. They can't force you to hand over your phone but they do turn people away for more trivial things every single day. I'm talking about visitors now, not US citizens.

There were some news stories recently about natural born Canadian citizens being denied entry to the US for not having proper papers. You don't even need papers beyond a passport in this situation, something all these people had.

All the guards have to do is say they don't believe your story. This isn't even a new problem, it just never got much media attention before and perhaps it is happening more frequently now.


with all this in mind, it might just be better to not do anything sensitive at all over text+calls. Just keep some innocuous texts from friends and family on it, maybe some porn so they think they've found what you were hiding, and do anything else on data or wifi, and uninstall those apps before they get to it.
I'd love something like that function TrueCrypt has where one password unlocks your private stuff and another password unlocks a dummy sanitized version. Someone could probably even do this with a custom lock screen if we're talking about fooling normal people.



Kevin Mitnick described a bit of social engineering he did on 2600 to get around this soykaf. He told them they could have everyone on his phone and his main system (laptop), and then told them they couldn't have anything that was on a soykafty chromebook that had no info on it that he had with him. The immediately stated they weren't interested in the laptop or phone, only the chromebook.