KRSW

Our policy has always been that people travel overseas with disposable, factory-fresh laptops. At the destination, VPN established, laptop is re-loaded from the server. Before heading to the airport, laptop connects back to the office, uploads any final changes, then laptop gets wiped to factory-spec.

How much this has changed.... I remember back in the day when we were most concerned with laptops getting stolen. Now we're most worried about governments, especially the U.S. government, stealing the data.

LAXlocal

do you leave the laptop overseas or bring it back with you ?

I hear SSD cannot be completely wiped , anyone know for sure ?

CPRich

There are many utilities/articles on how to wipe a SSD, and on quick read, none say "you really can't".

I suspect many folks don't know their laptops/notebooks are actually encrypted. Bitlocker is pretty unobtrusive.

dajdavies

It's complicated…

SSDs (and most modern spinning rust) has a mapping layer between the address the computer thinks it's writing to and where the data is actually stored.

In the case of SSDs, this allows data to be moved and storage locations to be remapped if there are bad cells etc.

Challenge becomes if a location has been remapped then normal write operations won't reach the original location.

There's a special operation supported by some drives to overcome this (http://www.kingston.com/en/community...l?ArticleId=10) but AFAIK simply deleting everything on the SSD won't achieve the same aim, and I'm not sure how good the implementations of HD sanitisation are.

KRSW

We bring it back. Drives get wiped before getting to the airport. Keep in mind, these are "disposable" laptops, ie: junk. So none of ours have SSDs in them, just old HDDs we've ripped out of other computers. The additional benefit of it being a ratty-looking laptop is that sticky fingers are less likely to pinch them. They're also old/ratty enough that if need be, they can be left behind.

Dubai Stu

Your plan sounds good assuming that you have decent bandwith which can sometimes be a challenge. Then there is the problem of VPN blocking in China.

InfrequentFlyer

I'm not in IT but I have to help a friend who might travel on these affected routes. He uses Outlook locally on his laptop from a PST (using a POP account). say he doesn't want to use gmail, etc, how can we keep his email sync'd between home and a new burner laptop? he is an individual, not using exchange or some other corporate solution. thanks
would you use office 365? tx

docbert

I was travelling on an affected route on day 1 of the new rules.

Our IT departments advice was basically (only slight paraphrased) "Use bubble-wrap".

So... yeah...

GUWonder

There are SSDs where parts of them definitely don't get wiped unless and until you physically alter the SSDs, an effort which may seriously risk permanently damaging them.

Amusingly, some of the oldest storage mediums are the most reliably controlled for complete data wipes.

Error 601

Mostly as a show of good faith in an arbitration we sent a Windows notebook with an Intel SSD to a forensics firm to see what data could be recovered and they came up with nothing.

Error 601

If the US government wants to mess with us they have much better attack vectors than intercepting a laptop at CBP.

docbert

They can, but the procedure for doing it is a little different than for HDDs. If you follow then incorrect procedure then it may be possible to recover a small amount of fragmented information even after they have been wiped. In most cases this is more theoretical than real, but depending on the security required from the data it can be a real issue.

If an SSD (or even HDD) supports encryption - even if that encryption isn't 'turned on' - then there's a very simple way to "erase" an SSD which is to trigger it creating new encryption keys. This doesn't wipe anything from the disk as such, but without the old encryption keys the data is completely unreadable. In 99+% of cases, this provides a perfect way of "erasing" an SSD.

(FWIW, this works even if encryption isn't 'enabled' on the drive, simply because encryption is *always* enabled on these drives - the data itself is always encryption, it's just down to whether the security layer around the key management is enabled or not, which is what changes when the 'enable' or disable encryption on the drive)

Internaut

Our corporate IT mandates the laptop's hard disk is fully encrypted, and there's no specific rule about checking in or not. Ultimately, the safest way to protect corporate data is not to transport it over borders where there are other options (VPN, once you arrive, for example).

JakiChan

But it's still a vector that your policy should guard against.

LordHamster

In my experience, China blocks "Public" VPNS like PIA and the like... but private corporate VPNS aren't blocked.


Encrypted laptops certainly protect against third party theft, but the real danger with crossing borders is the "Unlock it or else" extortion employed by CBP. Encryption does nothing to protect against that. I guess the 4th amendment was the first to go.