| In my opinion, your setup is likely to be insufficient for the purposes you want, and in some minor or not so minor ways may be more likely to draw additional scrutiny (i.e. grapheneOS (minor)/tailscale(?)). Physical access is almost never needed with current consumer hardware, especially if they control the infrastructure, which they do. Any services you access through their network, can potentially be impersonated later or denied while you are there. Cookie capture for auth access tokens is real and very simple to do, and there are many other security threats in the IT space. You should follow good security hygiene when starting and ending engagements. You may want to limit your personal access through an intermediary, and almost surely should do a full account reset for all related services/systems you access while abroad upon your return, if you do not choose to create stubbed accounts. It may be better to use limited stub accounts while traveling, which may also be used later as a tripwire indicator/honeypot of interest related to a particular trip. From what you've written, it seems that you neglect the fact that physical coercion negates all your current security measures. You should familiarize yourself with the laws there regarding VPNs, and the related requirements, as well as the customs of business in that country. (i.e. Gift Giving on first meeting, Who pays lunch, that sort of thing). Not that it will come to physical coercion, or that it is even likely given your profile, but still, you should be aware and prepare accordingly. It is all about risk management. As for what threats you should be worried about, its generally nothing you wouldn't already consider in any other country where your personal security is not guaranteed. If you are particularly concerned about your safety or security, or are entering a high-risk area, K&R insurance, its related planning and preparation for travel abroad often covers the most critical important aspects. This is their jam. Cyber-related losses may potentially be covered under the extortion part of these policies. Generally speaking, the sooner your state-side counterpart knows there is an actionable issue, the quicker they can react, and this will largely be decided by your level of acceptable risk and prior preparation. Regular check-in's are good practice. Subtle challenge response phrase check-in's may allow you to indicate duress, or that you are missing (and not the one responding) in some extreme circumstances. I'd like to emphasize, none of this is likely to be needed, but these things do happen, and still it is prudent to plan for the worst to give you the best chances if something does go wrong. You should consider that whatever you access directly while you are there will not be private. Also, the night before is hardly the right time to be asking these questions. There is a lot of business process that generally needs to be implemented for proper risk management in an international business setting. You may find this article helpful as a starting point, and may consider reaching out to one of the companies that specialize in these services, if further more detailed knowledge is needed. https://us.milliman.com/en/insight/pirates-kidnappings-and-r... |
If HTTPS, how?