A standard procedure in somewhat-security-concerned firms is that when you travel, you go and get a freshly installed travel laptop (a loaner) from IT dept, use it on the trip, and after the trip, you return it to the department that wipes out everything on the disk and re-images it.

This wouldn't protect against things like firmware-based malware, attacks that major three-letter spy agencies could deploy when they focus on a target, but because there is no absolute security and measures need to be balanced to the threat scenario, this is a model that works pretty well.

>A colleague of mine purchases fresh laptops for when he goes overseas and then never uses them again. He doesn't even work in an industry where commercial secrets are common. I'd hope that anywhere that features security implications or commercial secrets would also act at this level.

IMO that's an overkill. Why not just use ICloak [1] or Tails [2]? They are both Linux distributions which boot from USB stick without touching hard drive, randomize MAC address and give you access to Tor and other goodies.

[1]: https://icloak.org/

[2]: https://tails.boum.org/

Customs officals are agents of another, sometimes hostile, power.

If your risk assessment says you're worried about AoHPs then you can't trust your computer after they've had it in their possession.

What are "AoHPs"?

Never heard the term, but by context I would guess "Attack on Hardware Platform" or some such.

I think the bigger concern (which has been backed up by recent research) is that there are vulnerabilities in the hardware that might be exploited to install malicious software. If that software lives in a BIOS or a hard disk firmware wiping your hard disk will not protect you.

That model may not always work well. At least one country I know of interviews you at your point of departure as to whether your IT department has recently had your laptop in their possession.

Sure they may interview, but how does that make the model not work? The answer is going to be the same every time: of course my laptop is regularly in the possession of the IT support organisation.

> Someone joked that this would be useful to ensure people won't randomly plug USB drives into their computers. Sounds insane, except that...

Hey, didn't an article on USB dead drops get posted yesterday?

> Given the choice between frying an employee's USB / computer (small monetary loss)

That's a good way to start a fire and have a _large_ monetary loss on your hands.

I seriously doubt that you could manage to start a fire from the device in question.

First the total power of the USB port is ~2,5W on average and given the constraints of the device in terms of size (~ a normal USB thumb drive) you cannot realistically store this more than a second or so (e.g. 100V in 1000µF is only 10 Ws).

With 2.5W you can make things hot to touch, but for igniting anything flamable, you'd have to design some thermally decoupled element to dissipate the power, and get glowing hot (e.g. a small coil of resistance wire in a car's cigarette lighter). Unfortunately devices on a PCB are normally very well thermally coupled to said PCB, so the energy spreads fast limiting the temperature of the individual components. Also things on a PCB tend to break at much lower temperatures than what you'd need to ignite anything. Also they will already desolder themselves at ~200 degC.

When I read some of that stuff back in 2010 I was curious why some of the targets didn't try to understand how they were compromised and then publish the details. Especially attacks with such an, errr, tangible vector of infection.

Clearly some attacks are quite stealthy and difficult to characterize, but some are not, and in the 2010-era reporting about Chinese computer espionage against travelers to China many targets seemed to believe that they had confirmed the compromises.

So people could have taken a computer with some extra sensors or logging processes, a different OS than usual, and then publish the results, helping defend similarly situated others, including their own coworkers. If they believe the attacks are pervasive today, they could do this today.

Another option would be to just tell them and not play games with them.

Whilst an option, I feel it's a bad one if security is actually a priority.

Having worked at companies who actually have a high level concern over computer security, telling someone simply isn't enough. Being told is passive. Passive defence and active defence are two entirely different states of mind. Defending against an attack needs to be active and instinctual. Every time you open, close, or set down your laptop, a small part of your brain should be thinking about it. In computer security, a single failure is enough to lose control, so it's useful to have an environment that reflects that.

A simple example is being told to keep your terminal locked. This is a common rule for most workplaces but is usually met with dismal failure. One of the companies I worked at actually made a game out of leaving your terminal unlocked. I can tell you, after a few days of your colleagues kindly laughing at you returning to a screen full of Internet memes, you instinctively Ctrl + L upon standing up, even if it's to walk to the windows to look at the view.

Why is it important I lock the screen even if standing a metre away? My friend walks by whilst I'm staring at the view and invites me to [coffee|walk|game|X]. Security has already left your mind and you head off to do [X], leaving your terminal unlocked. Even worse, your screen might auto-lock in a few minutes, giving you a false sense of security when you return. Even if it was unlocked when you returned, you'd likely get back to work, not realizing your error.

Making security a game is a good way of instilling the practice. Colleagues make for cunning adversaries and make you actively defend yourself. This defence is useful against both pretend threats and real ones. Wargames are wargames for a reason.

> One of the companies I worked at actually made a game out of leaving your terminal unlocked. I can tell you, after a few days of your colleagues kindly laughing at you returning to a screen full of Internet memes, you instinctively Ctrl + L upon standing up, even if it's to walk to the windows to look at the view.

This was unofficial but standard practice at a support center I once worked at. It was a terrible work environment for other reasons, but individual computer security was great because the new guys very rapidly learned that leaving a computer unlocked left you a prime target for background changes, YTMND pages hidden behind other windows, the Dell ctrl+alt+up thing, etc.

A guy in my previous work came to me for help, we did some remote desktop to his machine from mine, only to find a big dick drawn in ms paint by someone... kind of funny, but the guy was a bit shocked and felt embarrased, not knowing what to do I simply ignored it as nothing has happened.

I lock my computer, but on top of that, I run a bluetooth proximity locker, just to cover my ass when I'm not standing by my computer. :)

Won't work.

If they can install they will and it will continue until someone starts firing people over it.

If they cannot install, prepare to get scolded when they cannot install fileshare clients, flash games, "codecs", -you name it: they'll install it if there is even the slightest chance it will let them watch something they wouldn't be able to watch without.

I sometimes have an image inside my head what it would be like if chefs would be like office workers in this regard: sharing their knives with friends and family, drag their knives into the garden, use them to poke in the sink, stir the paint etc.