Security: A Message to You Newsie

Posted on July 28, 2008
Filed Under Apparatchiks, Beijing Olympics, China Internet, Cyberespionage, GFW, Security |

Thomas Crampton (hat tip to the new and excellent China Journal) interviewed Rebecca MacKinnon on IT security tips for journalists coming to China.

It was well meant, but if you’re really paranoid it won’t get the job done. So here’s a list of things to do to stop those prying eyes:

Wipe and reinstall your laptop
Even if you delete a file, it’s not gone. It’s just waiting to be written over. That means that your laptop is chock full of information that any decent forensics program can recover. Use Darik’s Boot & Nuke to get rid of any data artifacts and reinstall everything.

This applies to your email inbox, too. So don’t go downloading all those dissident emails back on to your clean laptop afterwards.

Scramble eggs, but encrypt your hard drive
TruCrypt is 1) free and 2) really good. You can either encrypt the whole drive or create an encrypted partition to store data (you can even hide the partition). You’ll need to be really good with memorizing passwords as you’ll need a doozy for good encryption.

Don’t use a USB device to store data
You’ll lose it. And if it’s unencrypted you’ll feel like an even bigger idiot.

Don’t get phished
If you get an email from someone you don’t know with a link, don’t click on it. Phishing is alive and doing quite well in China. The email are meant to bring you to a website that will try to download some nasties onto your laptop.

You should also turn off HTML support in your email. Little, invisible links do the same thing.

Proxies aren’t perfect
Proxies such as Tor are great tools, but they only offer anonymity, not privacy. That means everything you send through them is passed through lots of servers where it can be observed. So don’t use it for anything important like banking, email, or accessing company resources via the internet.

Services such as WiTopia, mentioned in the post, are fine (assuming you trust them). They just cost money and they can be easily blocked at the network level if the government is so inclined.

Use Skype
Calls and messaging via Skype are encrypted with a big 256 bit key. There have been questions on the strength of the encryption and if there are back doors into it. But what the hey, what else are you going to go if you need to talk/chat with someone online? Besides, I doubt the PSB is on the back door distribution list.

Practice safe computing
Don’t use anyone else’s USB key as it may have a virus on it, use Firefox with Noscript to block virus transmitting scripts, make sure your laptop operating system and software have been updated to all the latest and greatest security patches, make sure to update your anti-virus before and during your visit, use an an extra anti-spyware tool (Ad-Aware used to be my favorite), set your browser to clean its cache and history when exiting, and don’t let anyone else use your computer.

Make sure you’re firewalled
Set up and test a software-based firewall for your laptop. Windows has one that I’ve never liked. All the security software vendors have something. You’ll need it to protect against online attacks (from some bored script kiddie hacker, most likely).

Be realistic
You’ll never be 100% secure, it’s an impossibility. It’s a lot easier to keep a secret if you don’t write (or type) it down.

For your sake, I hope you’re actually important enough to need all this.