<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Dec 19, 2017 at 5:49 PM, Peter Gutmann <span dir="ltr"><<a href="mailto:pgut001@cs.auckland.ac.nz" target="_blank">pgut001@cs.auckland.ac.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Howard Chu <<a href="mailto:hyc@symas.com">hyc@symas.com</a>> writes:<br>
>Peter Gutmann wrote:<br>
>> I cross borders with a wiped-clean laptop and scp in anything<br>
>> work-related that I need once I get there. That seems to be a common strategy<br>
>> among IT-savvy travellers who are worried about travelling with<br>
>> NDA'd/commercially sensitive material.<br>
><br>
>I do this too. But just out of curiosity, what do you use for ssh credentials<br>
>when traveling?<br>
<br>
</span>A password. That's the one thing that's completely deniable (when it's used,<br>
as in this case, to scp something over from some random server at some random<br>
IP address).</blockquote><div> </div><div><br></div><div>This I like... start with a single password.</div><div><br></div><div>A little raspberry pi can host multiple web servers by name and on a list of ports 80, 82, 84.</div><div>Or knock knock on the login port to enable a login or scp on that port+N.<br>There are numerous tools that lockout attempts to login for a specific name</div><div>and those scripts could do more, even the reverse and open a port.</div><div>Next scp a nicely locked private key file that you can recover the key to</div><div>with a pad and pencil cypher. HTTPS and HTTP can be moved to about any port.<br>multiple machines, chroot or virtual machines... <br>Login to a gateway machine then into one of many behind that apparently paper thin but</div><div>opaque wall. <br>Time windows. port+hour=PortToUse ; port+min=PortToUse || knock.<br>Call the office... hello Bob in IT. I am safe in Moscow/HotelName with Art/Arthur please open<br>a port and VPN for me. Bob knows the code phrases to validate or not. Should have been Carol.<br>Login has the notion of the message of the day which could be part of a passphrase.<br><br>Companies can protect their data... they need a policy employees can grock and follow first.</div><div><br></div><div>One class of data that needs special handling is the transfer of shared secrets.<br>Shared secrets for company data links are interesting topics for the rubber hose crowd. <br><br></div><div>Modern clocks allow a lot of time of day tricks for software and users.<br><br><br> </div></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"> T o m M i t c h e l l</div></div>
</div></div>