New Fun Blog – Scott Bilas

Take what you want, and leave the rest (just like your salad bar).

Archive for the ‘peru’ Category

Keeping Portable Data Secure

with 4 comments

In a previous post I talked about how I keep my data physically secure, based on the guidelines I had laid out. Now, let’s assume that physical security has failed. How can this problem be minimized?

10 million years oldData Security

Data security for me is two main things: protection and recovery.

First, if the hardware holding the data disappears, I don’t want to have a chance of anyone being able to use it. Whether it’s email, passwords, financial statements, code, SDK’s protected by NDA, or whatever.

And second, I’ve got to be able to restore what was lost so I’m back up and running in as little time as possible.

Data Protection

So first let’s hit the data protection: keeping my private bits out of someone else’s hands (har har).

Protecting My Hardware

TrueCrypt logo

This is relatively easy: use TrueCrypt. It’s free, really easy to set up, and doesn’t noticeably affect system performance. Well, except for large file writes where the kernel CPU time goes up some. Depends on hardware setup. On my notebook it hasn’t been an issue for me at all.

TrueCrypt has a huge advantage over Vista’s BitLocker: it works on the entire system drive, and encrypts in-place. And it works on all versions, not requiring the overpriced Super Ultimate Deluxe Vista. I looked into using BitLocker anyway (I got a free copy of Ultimate from Microsoft for working on the Vista in-box games), but it requires a special partition, and looks like it will be a pain in the ass to set up. Other than the poor GUI, TrueCrypt is better than Microsoft’s stuff in every possible way.

TrueCrypt is super easy to set up. You install it, then tell it to encrypt the system drive. After some setup, burning and testing a recovery disk and some compatibility tests, TrueCrypt converts your system drive while you are using Windows. You can even shut down and restart and it will pick up where it left off. Really neat.

So I did the full system drive. If someone gets it, I’m safe.

I also did half of my USB backup disk as a single TrueCrypt file and set up some shortcuts to mount/dismount easily. The other half is used for Ghost backups, which has its own encryption so it’s stored in the clear area of the drive. I wanted to keep the route to restoring from backup as simple as possible.

If you don’t typically want a Recycle Bin on your encrypted USB drive, set the TrueCrypt default mount options for “removable”.

Some Misdirection

Drive failure detectedThere’s one extra TrueCrypt feature I use worth mentioning. I’m hoping this will avoid potential irritation when I reenter the States. I’ve heard plenty about our idiot government forcing citizens to type in their passwords so they can search their hard drives, maybe even making full copies to search later. Say no and the thugs will impound the equipment (note: this is not the TSA, it’s our glorious U.S. Customs). This massive invasion of privacy is being fought by the ACLU and EFF and many others (one small reason I give them money every year).

Until the customs regulations are fixed, how about we protect ourselves with some misdirection?

TrueCrypt lets you change the boot-up screen to show a short bit of text instead. Let’s use a nasty sounding error like “Drive failure detected”. It makes no indication that the machine is encrypted and asking for a password (keystrokes are not echoed to screen).

Now if they say “turn it on and type your password” I’ll say it broke when we were in the jungle or whatever and hasn’t worked since. Look, see? Hard drive failure, poor me, I’m so very sad!

I like this solution a lot better than the hidden OS idea, which is more of a pain to maintain and will waste a lot of my time at the border. And if they impound it anyway, well, I’ll have already backed up everything I really care about to my NAS sitting in the States.

Working With Their Hardware

Ideally I’m on my own network with my own equipment. But too often I’m forced to go to the locutorio and use their equipment. How do I keep this safe? I have to assume a malicious sysadmin, or user, or virus has key loggers going. Or malware watching what I’m doing through their installed browsers.

Best case: forget the locutorio, buy a cellular modem, and run on Claro anywhere in the country. Around $60 a month or so. I regret not doing this actually, it would make it easier to work almost anywhere we go. Now it’s too late, as they have a six month minimum plan and we’re only here another four months.

Pretty good case: plug in directly to their network. I carry a network zip cord with me just in case they let me at the switch, but I’ve only been able to do this in one place so far (I used D-Link’s micro travel Wi-Fi to share it among our two notebooks and my iPod, which was awesome). Or if they have Wi-Fi, use that direct. This is super rare in Peru. Even at places that advertise Wi-Fi chances will be that it’s broken.

But even if Wi-Fi blanketed the Earth, I’d still have issues when we need to check email and I don’t have my notebook with me (like if we’re travelling light).

Kingston DataTraveler 16GBGrudgingly ok case: use portable and secure software of my own on a USB key. These things get bigger and cheaper every day. I use a 16GB stick which has been more than enough.

Allison has her own USB key that I manage as well. We take these everywhere with us in our wallets. They’re very small and are basically our keys to the Internet when we’re out and about travelling lightly.

Contents Of My USB Key

If Found Please Email MeSo what’s on it? Mainly, Portable Firefox with LastPass. And a bunch of other stuff. Here’s the contents:

  • “Data” folder with a big TrueCrypt file.
    • I never end up using this at locutorios. It’s mainly for keeping ultra critical files with me and secure (like small backups of my notebook).
  • “Portable” folder with all my portable apps. More on that in a bit.
  • “Recovery” folder with…
    • LastPass client app
    • Norton Ghost recovery and installer
    • TrueCrypt recovery and installer (still requires master password to work so this does not compromise security of my notebook)
    • Boot disk ISO for DOS with tools. Just in case…? Well, I’ll never use this, it gives me a warm feeling to have it.
  • Autorun.ini in root pointing to Portable Apps shell
    • Autorun is disabled on my own PC but usually enabled on PC’s in locutorios, so let’s make it auto-launch the shell for convenience.
    • Note that autorun is a great target for viruses so there’s a chance this file will get screwed with once you plug it in. Check on it every once in a while to make sure it’s still got your stuff in it.
  • Root folder has my email address.
    • If I lose the USB key I really doubt I’ll get it back, but maybe I’ll get lucky.

I occasionally make changes to the USB drive. Upgrade Firefox and add-ins, add a new portable app, upgrade the ClamWin database, etc. Once done, I back it up using 7-Zip for the nuke-the-entire-site-from-orbit option if I pick up something nasty at a locutorio. And I’ll propagate it over to Ally’s key. It’s good to keep things current and doesn’t take long.

It goes without saying that this is all Windows software. There are exactly zero locutorios with anything other than Windows. I’ve seen everything from Win95, 98, 2000, up to XP, plus weird heavily modded setups that make XP or 98 look like Vista. But not once ever a Mac or Linux. Always Windows.

PortableApps logoPortableApps

The main download comes with most things I need, but I’ve had to add a few portable apps.

Here’s the full list of what I use: Firefox, 7-Zip, ClamWin, IrfanView, Notepad++, On-Screen Keyboard (for entering passwords), SpeedCrunch, TrueCrypt, Sumatra PDF, VLC Player, LastPass Pocket, and OpenOffice. I haven’t needed OpenOffice yet as all locutorios have had Microsoft Office already (most likely pirated).

Portable Firefox is already set up pretty well for running from a USB stick but it’s worth reviewing the configuration. A lot of these public machines are old and don’t have USB 2, so you want to kill as much disk activity as possible or it will run incredibly slow. This means turning off saving history, sessions, disk cache, phishing detection, and so on. You want these off anyway for better security. Test it with ProcMon to see when it touches the disk and try to turn off the appropriate option.

My Firefox includes only these Add-ons: LastPass for logins (more on this in a bit), DownThemAll for downloads, and AdBlock Plus of course. Not just to kill annoying ads, but it really speeds up internet browsing on slow locutorio shared connections. And make sure to install the Flash and Java plugins for sites that need it. For example the LAN Perú web site stupidly requires Java for their seat assignment. These need to be installed on the actual machine you’re using in order to work, but it’s good to have the Firefox side of these plugins installed and ready into the portable app so you can use them.

For a bit more privacy, have Firefox clear all saved data on exit. Now, you could put all the portable apps in a TrueCrypt partition, but you can’t guarantee that the machine will let you run TrueCrypt to mount the file as a drive (requires admin access).

And lastly, be sure to disable all auto-update features. You want to do updates manually over a trusted connection on trusted hardware after scanning the stick for viruses. I don’t trust any software downloaded on a public PC. Plus, having Firefox auto-downloading a patch in the background while browsing on a slow connection is really frustrating.

LastPass logoLastPass

I love LastPass. It has made web browsing so much easier and more secure for me and my lady.

LastPass is a browser add-in, web app, and portable app that uses the LastPass.com servers to synchronize passwords, secure forms and notes, and so on. The LastPass servers never see the clear text version of anything as all encryption is done client-side, which is great. It’s getting increasingly worrying that so many incredibly useful web services these days (Digsby, Mint, grr) do server-side encryption and storage of passwords.

I’ve stopped using the same four passwords for all my web sites and am instead generating unique, secure passwords for each. All synchronized across all my machines and the USB key! This is so important for stupid web sites like americanexpress.com that have silly password requirements like “no more than 8 characters”.

So when entering a locutorio, I…

  1. Pop in the USB key.
  2. Launch PortableApps if it doesn’t come up on its own.
  3. Launch Portable Firefox and On-Screen Keyboard.
  4. Hit the LastPass button on Firefox and use portable On-Screen Keyboard to enter my master password.
  5. Browse away!

I can’t say enough good things about LastPass. It has completely replaced my stored passwords in Firefox and misc “password.txt” type files on my machine.

Here are some of my favorite things:

  • LastPass auto-login It has an optional auto-login feature. You can just open facebook.com and it types in your username and password and hits the login button for you. I love this.
  • LastPass works on all sites I’ve tried so far, including all those banks that prevent browser-based password storage.
  • You can share passwords through the web service. Ally and I use this for common sites we use like Mint.com.
  • It stores form data (credit card info) as well as “secure notes” that can contain whatever you want. The form data can be auto-filled in for registrations. Multiple profiles supported so I can do “Home” and “Work” etc.
    • It even detects when you’re registering for an account somewhere and offers to generate a secure password for you and store it in
      the password + confirm password fields.
  • It even handles old-school web-based authentication. So I don’t have to remember the usernames and passwords for Wi-Fi routers and other primitive hardware.

LastPass is currently totally free. The team is apparently planning on making money via the enterprise route. I wish them well. If they start charging for mere humans too, I will happily pay. I love LastPass!

As a side note, this has completely fixed the problem with Ally choosing passwords like ilovemycat and allison12345. LastPass combined with the USB key makes me pretty confident that she’s not inadvertently exposing us. She has exactly one very secure gateway password to remember. It’s easier to be secure than not. Thanks LastPass!

What I Really Want

I’m still not happy trusting another machine to run applications, even ones that I can control like Portable Firefox. For the moment I’m assuming that malicious users/sysadmins/malware are all going for the easy wins: people going to public machines and typing in their passwords to use IM and mail and so on. But in the future, things are going to get bad.

So I would like to see both of the following devices invented!

USB Drive Network Device

This would be a device that plugs into USB on the public machine and is connected to my notebook.

On the public machine end, the device appears to be an ordinary USB drive. That way, there is no need to install drivers or require special admin access to use it. Then you run a special user-mode app that talks to the device with a special protocol. Perhaps a pair of virtual “files” that are written/read in streams. It would forward reads/writes to/from the network card as packets. Sort of like shared memory IPC in Windows.

On the other end, we have maybe a USB connector, or a network jack, or ideally a secure private Wi-Fi. This part would talk to your notebook or iPod or other internet-capable device. And it would look exactly like a network adapter to it.

The point is that you’d be able to use the internet on your notebook as if it was directly connected to the network switch in the locutorio. And you wouldn’t need any special access to do this.

USB Drive PC

This is a variation on the above, except more portable. Instead of requiring a notebook computer on the other end of the public PC, move your computer inside the device. Take a tiny ultra low power PC running embedded Linux on flash and stick it in the device. Hopefully powered by USB, but if not, then include a li-ion battery.

Then the client software running on the public PC handles the network emulation as before, but adds a VLC client to talk to the embedded PC. The public PC becomes a simple dumb terminal, just exchanging user input and network packets with the embedded one. No special permissions required to use. Totally secure and portable!

The two devices could be combined as well. Use the Wi-Fi if you have your computer with you, use the embedded low-power PC if not.

Does something like this exist already? Seems like there would be a good market for this kind of thing.

Data Recovery

I wrote a previous post about backups. Let’s adjust it to how I tend to travel.

Backups

Basically my remote working backup strategy works like this:

If at home in Arequipa:

  • Fully automated scheduled backup to fatty USB drive with Norton Ghost 14.
    • Two system images on the drive at once, rotated.
    • Every Sunday start a new full system image backup (takes 4-5 hours including verify).
    • Back up incrementals every two hours (usually takes 1-5 minutes).
  • Keep USB drive physically separate from notebook overnight, just in case.

If away from home:

  • Fat USB drive stays at home locked away.
  • USB key is with me as always. Stays down my pants with my passport and money in my secure wallet latched to my belt.
  • Regular backups with the free Areca Backup of just my critical data to the TrueCrypt image on my USB key.
    • Not the system, but the stuff that changes. Documents, OneNote notebooks, code projects, Firefox profile, etc. Blog post drafts. :)
    • Why not Ghost for this? Not as configurable. My USB key is relatively small so I only want the absolute critical stuff backed up to it. No .obj or .pdb files, for example. No temp files. Areca makes it pretty easy.

Always:

  • When connected to the Loose Cannon VPN
    • OneNote will sync itself to my workstation at the office (which has its own regular Ghost backup schedule going on). Nice extra copy to have. OneNote contains a ton of really valuable stuff for me that I don’t want any chance of losing.
    • Regular checkins of code to Perforce, of course. And updates to our wiki.
  • Windows Live Sync set up between my notebook and Ally’s.
    • This keeps common “family” docs and all our Peru pictures mirrored. This gives us four physical copies.
    • These files are really valuable to us so I am super careful to protect it all.
    • Did you know that Live Sync detects if you’re on the same local net and switches to peer-to-peer if so? This makes syncing Ally’s many gigs of Peru pictures very fast. I heart Live Sync.

Norton Ghost logoNorton Ghost

A quick word on Ghost. I went through several other shadow copy-based systems and Ghost was the only one that was stable and had the options I needed. True Image had severe problems with crashing and non-completing backups on my machine, and was very unreliable. Vista’s built-in backup is reliable but is so dumbed-down in the options available as to be useless to me.

Ghost still has problems of course…

  • It occasionally does a hard system lockup on my machine during a backup.
    • Nothing corrupted, just have to do it over. Happens once every few weeks. Frustrating.
    • I have to work with their support people to figure this out, but I’m not optimistic. I have heard really bad things about their support.
  • There are lots of UI bugs, particularly in its tray app.
  • It has a pretty horrid and confusing interface. It’s really only good at doing system images. Try to do file/folder backup and get ready to be frustrated (which is why I use Areca here).

When I was researching which app to use, I learned not to pay attention to any opinions written online by users. It’s an exercise in frustration. Most users who post on the internet and complain about software have this weird combination of anger and ignorance that just fills the Googles with noise. Try things out yourself. It may turn out that Ghost doesn’t work for you, but True Image works great. That’s what the 30-day fully-functional eval is for. There are also other options.

As a side note, Ghost is probably the only decent thing that Symantec sells. That company has a serious problem with marketroids running the show and destroyin
g their products (much like RealNetworks).

Recovery

If something bad happens, I need to be able to get back to work as quickly as possible. Down time means I have to use up vacation days, and I need those for Colca Canyon!

There are a few reasons that I’ll need to do data recovery, in increasing severity:

  • Whoops! Deleted/overwrote a file by accident. Restore file from backup.
  • Serious problem on notebook. Hard drive failure, system destroyed, and so on. Restore entire system image.
  • Notebook fried or stolen. Switch temporarily to Ally’s notebook while I figure out getting a replacement.

I have some strategies for dealing with each. Thankfully I haven’t had to use any yet, but I am prepared!

For simple data loss, the solution is easy. Open up Ghost or Areca and do a restore. I will have at least two copies of each file, possibly a lot more depending on how many times it changed in the past week. The rotating full system images give me a couple weeks to notice a missing file.

For critical data loss where I need to do a system restore, I have several copies of recovery disks. There’s the physical CD I burned with Ghost’s recovery software on it. I also have copies of its ISO on the various USB disks in case we need to burn a new CD.

For hardware loss where I need to switch to Ally’s or a new machine, I can’t do a system image recovery of course. It would wipe out all her data. For this, I have ISO’s of all the major software I use like Visual Studio and Maya. I can install what I need, and restore enough of my document tree into a new account on her machine to get back to work as soon as possible. When I get a new machine of my own to work on, I have my ISO of Vista to use on it to start fresh.

And of course, I keep copies of device driver installers on my USB drives in case I need to solve any issues on the road. This was useful when I was diagnosing a hardware failure (of a dying ExpressCard memory card reader) by disabling and uninstalling drivers until I figured out the problem. The internet wasn’t easily available at the time – I was on a bus – so it was great to have those drivers readily available to put back on.

Final Thoughts

In this series I’ve tried to list the things I’m doing to keep us secure. None of it is guaranteed, either. A determined and technically capable person can bypass pretty much everything I’ve written above.

What I’m relying on is that we won’t come across such a person. Instead, if we come across anyone malicious, they will be set up to broadly attack weak and easy targets en masse. A simple keylogger can get full account access to 99% of the users at any locutorio.

So there’s no point for them to figure out more advanced methods to go after LastPass users. Though as LastPass gains in popularity, an incentive appears. Perhaps in the future malware will appear that detects LastPass running and memory-lifts the clear passwords being passed into the browser. By then I hope to be using even better methods.

Previous posts in this series:

Written by Scott

April 5th, 2009 at 11:04 am

Posted in mobility,peru,security

Keeping Physically Secure

without comments

Santa Catalina ConventIn a previous post I outlined my basic requirements for travelling securely. I’m going to hit the physical security first, as it’s lots simpler and a lot of common sense stuff. Plus, given the big constraint of mobility, there’s not a lot I can do physically anyway.

I’m following some simple ideas in trying to physically secure our stuff.

Keep the Backup Physically Separate

I use a cheap external USB drive for backups (more on this in the next post). When we’re staying someplace I don’t think is 100% secure, particularly a hotel or hostel, I always keep either the backup drive or my notebook with me, but never both. If someone gets into the room and snags one, the other is safe. Or if I get robbed or I accidentally drop my backpack in the ocean, the other back in the room is probably ok.

Because it’s so small, it’s really easy to keep the USB drive safe. So even when I’m going out and trying to stay super light, I’ll still grab it.

Even when I am physically in the hostel room, I’ll still separate the two at night, putting the notebook hidden under clothes and the drive under the bed or whatever. I’ve heard from friends a few stories of people managing to come into their rooms late at night to grab easy pickings. While the occupants were sleeping. Not much point in a backup if both can be grabbed together!

A good friend of mine staying in Costa Rica woke up to find some dude poking around in her kitchen. Past the locked door and the armed security guard. She puts her notebook in the oven to hide it.

So I am pretty careful about keeping these two things physically separate. We went to Cusco for a week, and I brought my notebook so I could work. The backup drive stayed at home (hidden) and I brought along a little 16GB stick to do micro-backups of just what I changed while I was away. It worked well. Luckily I didn’t need to use the backups.

Don’t Be (So) Obvious

Schoolyard psychology. Don’t look like you are a target and they’ll prefer someone who does. In most places I’m always going to look like a tourist no matter what I do, but I can aim away from techy bo-bo video game developer and towards grungy penniless backpacker. Well, somewhat. So…

Don’t use those stupid white earbuds that come with your iPod.

They announce “I have an iPod” around the world. Aside from their poor quality and fit (IMO), white color electronics = iPod = money = easy target. Just toss them and get some ordinary black ones. They sound better anyway.

Don’t pull out your mp3 player and flip through music on the street or bus.

This one is tough because the fancy “look ma no buttons” design that’s popular today prevents operating it in your pocket. I listen to audio books and podcasts all the time, and need to pause/resume a lot as I travel around in the city. A great way to do this surreptitiously is to get a tiny remote and keep the player safely out of sight. Very important: the remote is useful when snowboarding. Double score!

Mess up your junk a bit.

image

I have these awesome stickers all over my notebook. Part of the machine is even held together with tape. [Well! It’s over 3 years old, visited many places, and has been dropped a lot. Which is why I got a Built NY sleeve to protect it even better inside my backpack. Now I can drop it and not worry! Much!]

Does this really matter? I don’t know. My guess is that it announces “I’m a worn out piece of crap, go steal a pretty Mac instead”.

Anecdote: the first thing I did when I got my car stereo (back when I had a car) was scratch all the writing and logos off it. It was a removable faceplate but I never remembered to take the faceplate with me. The car was broken into twice and they left the stereo both times. The second time they even went away totally empty-handed. Now, the plural of anecdote is not data, but my “dirty stickers method” isn’t a bad idea…

I’d do the same with the bags. If you look like Rick Steves just stepped out of REI with shiny new gear, even the tourists will notice you. Although, if you have travelled much at all, your bags are already very unclean. I’m getting a lot of practice sewing to repair things, too.

Lock Your Backpack

Even if you wear your backpack in front instead of on your back, you can still get ripped off. All it takes is a couple of kids with a thick crowd around, good timing, a bit of misdirection. Even if you think you’re prepared, it could still happen. Just have to get distracted for a few moments.

It happened to me last weekend in fact, in the middle of a dense crowd in Carnaval in Oruro, Bolivia. One kid distracted me while the other mashed in with the crowd and unzipped a side pocket and stole a couple things. I wasn’t paying much attention because I didn’t think I had anything worth more than a few bucks in my outside pockets, and the rest were locked. Turns out I was wrong about what I had in the unlocked pockets. He got something totally worthless to him, but something it cost me a few hundred dollars and a lot of Peruvian import customs pain to replace. Expensive lesson.

I learned a couple things:

  • Double check what’s in the vulnerable places and don’t put valuables there. Duh.
  • Lock it all. Even if the kid gets away with a deck of cards and some Altoids, you still feel violated and have that momentary freakout when you realize your pocket is open and something (what exactly? what was it?) is now missing.DaKine = Awesome Can really ruin a good mood.

Detour: I have to rave about my pack for a second. It’s a DaKine Mission snowboarding bag that doubles as a super awesome travel pack. DaKine has a lot of variations on the Mission, but this one is my favorite. Good design, built in straps for attaching a stuff bag or coat or whatever, and takes a beating. Most importantly, it comes in plaid!

Anyway, here’s my current strategy for securing my backpack.

  • Wear it on the front when I get near a crowd. All the way on, not just one arm in. Yeah I know, even the locals do this, I should have taken it more seriously.
  • Lock the zippers together with a padlock. I have a cheap TSA-compatible combo lock. Doesn’t have to be great quality.
    • Note: I don’t like the idea of a padlock hanging off my bag, I feel like it’s an advertisement that I’m keeping something valuable inside and may get more attention. So I usually push the padlock inside the tiny gap between the zipper pulls so it’s inside the bag and not easily visible.
  • “Lock” remaining pockets closed using cheap key rings through the zipper pull and a loop that DaKine so nicely left sewed into the start of the zipper.
    • These obviously aren’t locks, but they require a lot of dexterity or a wire cutter to open. Unlikely to happen in a milling crowd.
  • Don’t stand still for long, keep moving and turning.

Locked up

Stealth mode

Padlock for both the large outer pockets, key rings for side pockets.

Stealth mode! Also, two pockets locked for the price of one.

What I’m mainly after is to slow someone down by 10 seconds. That ought to be enough to avoid most problems and not get into a confrontation.

This should also work on long bus rides. I keep my bag below my legs or under the seat, and sometimes doze off. If someone’s going to start going through my bag, it’s going to be obvious to the other folks on the bus what’s going on because they’ll have to really work at it to do anything.

It should even help when leaving a bag at a hostel temporarily (like in advance of running off to hike the Inca Trail). The places they keep bags for guests often aren’t very secure. Maybe secure enough to prevent someone grabbing a whole bag that’s not theirs, but perhaps not to prevent them from doing a quick rummage. A lock and a couple key rings will slow down the casual rummager.

What About A Mesh Wrap?

Ok, so what about those fancy wire backpack mesh wraps? I actually file those under “you’re being obvious”. I haven’t seen a whole lot of those on packs when travelling, but every time I do, it really grabs my attention. It seems to me that a wire mesh is a big shiny target and won’t be of much use if it attracts a group of guys who just take the whole backpack and deal with the mesh later. Plus, I’ve read that they’re heavy and hard to store.

One purpose of the mesh is to stop slashers – people who will slash your bag while it’s on your back and just snag what they can, ignoring any locks you may have on there. There are slash-resistant materials that some bags are made out of, but unfortunately they are all butt ugly. Oh well!

I don’t have a good solution for slashers except to (a) assume they are very rare compared to the ordinary pickpockets, and (b) put small but valuable stuff inside of other containers in the backpack, and secure those things to the inside of the backpack so they don’t just fall out the bottom when slashed. Well, that’s more work. So mainly I’m betting on (a).

I would like to see DaKine come out with a line of secure backpacks. Preferably based upon the (previously mentioned super awesome) Mission design. Make the outside material rip-stop or slash-resistant, figure out a way to secure the zippers easier… Sold! Again!

Lock Up At Home?

We never ended up worrying about this. Hostels and hotels in Peru and Bolivia are very safe, at least the places we’ve stayed. As well as our current apartment in Arequipa. They have all gone for perimeter security – big gates and buzzers, good locks, and so on, doesn’t seem to matter how expensive or cheap the place is. They’re all pretty well prepared. So we haven’t needed to worry.

But we did try to come prepared. We just haven’t used any of the stuff we brought:

  • Big padlocks for lockers in hostels.
    • The idea here was to use lockers in hostels to store our valuables and then we could run off during the day to go do things and not worry.
    • Only problem is that we have yet to stay at a hostel in Peru that has lockers.
  • A doorstop alarm, to prevent night-time visits like mentioned earlier.
    • This is a neat idea, and cheap too. But we just haven’t had a need for this so far.
    • Like I mentioned, all the places we’ve stayed have been very safe. Maybe because we’re avoiding party hostels!
  • Kensington laptop security cables.
    • This won’t stop anybody from stealing a notebook, but it will force them to break it to get it and slow them way down.
    • Same deal as the doorstop alarm – very safe. Although I think a lot of it is laziness. I’m going to think on this some more.

So I’ve just been following the “keep the backup drive separate” model of security for at home.

Next Up

Data security! Way more interesting.

Posts in this series:

Written by Scott

March 13th, 2009 at 6:09 pm

Posted in mobility,peru,security

Travelling Securely

without comments

Photo by Allison Bilas, Arequipa, Peru

In a previous post I said I wanted to write about travelling securely. I’ve given this a lot of thought, and am interested in what other people think as well. I think I’ve come up with a pretty good setup that is very portable and, once set up, not a lot of work to maintain.

Requirements

So let’s go into what my requirements were. I came up with these a few months before we left for Peru and had lots of time to prepare.

By the way, this isn’t really necessarily specific to Peru. I’ve felt about as safe here as anywhere I’ve travelled. When travelling in general, though, you open yourself up to be a target. You look and talk different from everybody else, and this likely means you have something valuable to snag. So I’ll be doing all this any time I’m on the run.

Data and Hardware Must Both Be Secure

If someone steals my machine, they can’t be able to get at my data. Lots of it isn’t even mine and is protected by NDA’s.

Also, if the hard drive crashes, I have to be able to get my data back quick. I can’t start from scratch reinstalling everything and syncing the whole tree from Perforce through the VPN. I’ll have been down too long and I’ve got to get paid!

And finally, I want a reasonable degree of physical security, to try to avoid the theft happening or being effective in the first place.

Online Personal Data Must Be Secure

This is a hairy one. Lots of times I need to do online bill-pay or check credit card balances or my email, and the only option is at an internet cafe. And I have to assume there are key loggers running. Whether installed by a malicious shop owner, a malicious user, or a virus delivered by USB drive by an unsuspecting user, it doesn’t matter. I don’t trust public internet machines, but I am forced to use them fairly often.

The best option would be to use my notebook and plug in direct (I have a cable just for this purpose), but lots of shops do not permit this or are clueless on where a switch is and don’t want you crawling around under desks looking for it. And forget about Wi-Fi. It’s just not common enough down here to even mention, except in the largest cities, and even then it’s still fairly rare.

Security Can’t Overwhelm Utility

We’re not going to carry around a giant safe with us. Security is a tradeoff. Whatever we do, it must be portable enough to go in a day pack with lots of extra room for other stuff. Water bottles, a book or two, sunscreen, hat and light long sleeve shirt (learned my lesson there), iPod, etc. while still leaving some room for whatever we pick up along the way. So the security has to mostly be visual and then of course, electronic, which doesn’t weigh anything.

And I have to deal with the electronic usability issues. Allison is just not going to memorize more than one password. It really is too much to ask – having to remember which site has which password, and each has to be secure, dealing with each site’s dumb requirements. She’ll end up using allison123 as a password again.

So instead we’ll pick a good solid and long password for her (passphrase, actually) and lock everything with that, using LastPass. More on that in a bit.

Disclaimer

This should be obvious, but I need to point out that I’m not a security professional or a criminal psychologist! I’m just an average scruffy software engineer who listens to the Googles, and reads Bruce Schneier regularly. I’m doing my best to protect what I can. I’m very interested in hearing others’ opinions on what I’ve come up with.

Next Up

In writing this up originally, it got pretty long, so I’m breaking it into three parts. The next part is on physical security of hardware when mobile.

Posts in this series:

Written by Scott

March 1st, 2009 at 3:23 pm

Posted in mobility,peru,security