Slashdot Mirror
Securing Your Notebook Against US Customs
Nethemas the Great points out a piece from Bruce Schneier running in the UK's Guardian newspaper with some tips for international travelers on securing notebook computers for border crossings. A taste of the brief article:
"Last month a US court ruled that border agents can search your laptop, or any other electronic device, when you're entering the country. They can take your computer and download its entire contents, or keep it for several days. ... Encrypting your entire hard drive, something you should certainly do for security in case your computer is lost or stolen, won't work here. The border agent is likely to start this whole process with a 'please type in your password.' Of course you can refuse, but the agent can search you further, detain you longer, refuse you entry into the country and otherwise ruin your day."
are border agents so dumb to not diferentiate a dual boot from a simple windows ?
I got it in my biweekly dose of Cryptogram and found it disheartening. The GOD of security says: all you can do is make sure they wont find anything that will mess you up.
The sad thing is that citizens think this idiotic idea of checking laptops at airports serve any kind of law enforcement objective other than generalized panic and further diminishment of democratic values such as the right to privacy.
This is your government fucking people up (and "people" can be foreigners or locals entering the country), attempting to find in informations traces of delincuent activity that, if youre a two bit moron you know you can save it anyhow, in a mostly anonymous fashion on google's, yahoo's or microsoft's servers for free, and any number of services that are available today.
True criminals simply have huge botnets and hidden servers behind the huge pr0n/spam nets and they DO NOT carry incriminating evidence with them and EVEN IF THEY DID, how in hell is a custom's agent going to find them?
I mean, i have a better solution than that of bruce: change your initab so initdefault is 3, make sure that that level does NOT turn on the wifi card or any networking at all, change your shell to ASH (hopefully temporarilly) and let them have the root password, who cares.... good luck, mister customs agent.
NO SIG
The downsides? You probably won't be able to work in the airplane, but is it worth it now that the Customs are being so much trouble?
If they want to clone your hard drive and disassemble it later, your secondary boot OS is going to stick out. Not that it is unusual for anyone to have more than one OS on a hard drive, but it won't be hidden. Remember, they essentially have physical control of the computer. "They" win. Unfortunately, it comes down to 1) security by obscurity or 2) nothing to hide.
Roll up your sleeves and bend over.
Faster! Faster! Faster would be better!
I quit flying a couple years ago after being repeatedly hassled by TSA troglodytes. Looks like I may never get to fly again. Maybe if enough of us stop flying, the airline industry will set its lobbyists to get this fixed. Chances are slim though. Why lobby to get your customers back when you can just lobby for handouts?
Maybe depending on the amount of data you have you could store it onto a CF/SD card and put it into your camera? There has to some way of storing the data on the memory card so that the camera will not see those files but still leave enough space to take a few shots of the customs agents.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
But if they have the right to search it and you refuse to cooperate, then what choices do they have other than to seize the laptop (arguably you've given them cause by refusing to cooperate) or refuse you entry?
Otherwise what you're saying is that they have the right to search it, you have the right to refuse, and they have no legal powers to try to enforce their right - in other words, they don't have the right at all.
It's official. Most of you are morons.
Boss: WTF???
if your under suspicion for who you are then you are pretty well fucked. But if your just worried about a random security search and wanting to keep certain data private you only need to get past that first step because they will not spend the money to dig deeper even if they do copy your hard drive.
if you are a known individual (person of interest) and you expect to be stopped at the border, don't carry sensitive material with you. Hell, just mail a flash drive.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
I have been denied access to countries for less than not providing a password. They can pretty much turn you away because they feel like it.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
You see? You see? Your stupid minds! Stupid! Stupid!
If you're going to carry stuff over the border you don't wan't The Man to look at, put it on a thumb drive and attach it to your keys.
If you want news from today, you have to come back tomorrow.
Furthermore, you could also make TrueCrypt portable on XP, putting it, and possibly even your encrypted volume on a USB Key. Include this with a simple file rename and extension change and you'll have hidden encrypted content.
Make sure everyone's vote counts: Verified Voting
>>>"The border agent is likely to start this whole process with a 'please type in your password.' Of course you can refuse, but the agent can search you further, detain you longer, refuse you entry into the country and otherwise ruin your day."
Sounds like a small price to pay in order to protect my right to liberty. Just because the government demands access does not mean I have to comply.
Other people have paid a far higher price for liberty ("the full measure of devotion" aka death).
The government is not your daddy. Its purpose is not to raid middle-class neighbors' wallets and give it to you.
Yes it's wrong to buck the system and cause trouble for other people.
However, I advocate cooperation simply because conniption causes more porblems than it solves. I would protest this however I could, legally, by picketing or voting or radio station callins.
Just because it's wrong to buck a system doesn't make the system right.
We have a bill of rights for a reason, and getting all panicky and security crazed is just going to let someone powerful step in and take over.
If you give up your freedom, you invite a tyrant. Trusting the government to do everything right only works with saints, which humans most definitely aren't. It's why we have checks and balances.
Have all your US and overseas clients meet each other in Toronto, Vancouver or anywhere in Canada for that matter.
Undetectable Steganography? Yep, there's an app fo
The problem is that it is plan and simple grab to take away our rights under the 4th amendment without any probably cause or do process.
Not to mention that it does NOTHING to improve the security of our borders.
And it is seemingly becoming the new standard by which TSA agents get laptops for friends and family members. Confiscate the laptop, telling the poor smuck that it will be returned shortly after the disk is cloned for professional examination. Voila, laptop never comes back.. lots of cases and complaints on file of this particular situation.
Things like privacy are sacred to some people, and unimportant to others. People who advocate that they have nothing to hide is all well for them, however it does not apply to every single person in the world.
And it does not necessarily have to be work related, or something proprietary that can be stolen and sold for cash. Perhaps it is embarassing information on the person, private pictures of family, or something else that is legal and legitimate to keep private. If you have no problem forceing big brother on yourself, that is ok. That just doesn't work for everybody...
Those who live by the sword, get shot by those who live by the gun...
This amendment exists to protect citizens from a government that may object to the content they create or possess. Maybe someone can explain why the act of entering the country nullifies my constitutional rights.
If you feel you want to become an unemployable martyr, by all means, do it.
With a criminal record, after being detained by customs, you'll have a tough time finding a decent job. Your life will be hard at the border crossing, but it will be for many years afterwards as well.
I'd suggest against the horse porn, it "is" technically illegal in the US.
I personally would use the tubgirl "taste the rainbow" picture as a desktop icon. You need to use both a disturbing visual, and a (semi-common) catchphrase that will trigger that visual to further torment them.
It just might work. It their eyes are bleeding they can't read your sensitive data.
Waltz, nymph, for quick jigs vex Bud.
This is why the recent supreme court ruling matters, even if the GP doesn't know it. They ruled that computers files are not your papers. Silly I know, but that's why they can search.
My own opinions on your blinkeredness shall remain unsaid. I'm sure you can guess them.
First, I'm not American. I have visited but these incidents literally remove the country from the list of viable or "safe" foreign countries I could travel to.
"I carry corporate source, designs and some customer data on my laptop. Yes, it would be a problem if it were made public. I encrypt it, but do not hide it. I see no reason that a border guard, a TSA guard or even the (whisper) NSA would choose to give it to a competitor if they had it."
-Several thousand dollars.
- Industrial espionage.
Even in the UK, some staff at airports have been caught selling on items stolen from baggage, there's nothing to stop a corrupt official doing so. By giving them to ability and "legitimate" reason to search ANY laptop for ANY reason, it's inviting problems.
- A letter from Microsoft offering a reward for non-licensed or pirate software.
- Anything that could accidentally tag you as a terrorist.
Customs officer browsing through my web history: You read wikileaks lately? We'll have that as evidence of, in your own words, being an anarchist.
- THIS POST. Say I took a laptop with a copy of my posting history to slashdot to the US... they could EASILY use this very post against me. Evidence of "wanting to avoid customs" or some such rubbish.
"What's the problem here? Is this a matter of principle or is there something to hide?"
Neither. It's my data. You have no right to go through it without reasonable suspicion FIRST. And then in a certified, supervised way to ensure you keep within your stated use of the data. No other civilised country in the world currently does this and the UK has been dealing with terrorism for FAR, FAR longer than the US has (a UK airport security expert was told that he was "being paranoid" before 9/11 when he visited a US airport and complained about their lax security - within days he was on BBC News recounting the tale because 9/11 happened).
My workplace cannot even throw a hard drive out with having it professionally destroyed, whether it's been exposed to confidential data or not. What makes you think I can let a customs officer copy it without MASSIVE assurances of everywhere the data could end up? The chances are I'd be in a questioning room while all the copying was going on.
"Consider how important your data is to a customs official. News flash: I'd bet a lot that they don't give a rat's ass what you've got, as long as it's not illegal. If it's illegal, then the problem is totally different and you have no right to complain about it."
Define illegal. I think you'll find it depends on jurisdiction, for a start, and includes such things as data protection laws. This is the problem.
As a business, I would be required to NOT TAKE SOME DATA into the US because of this - UK and EU data protection laws means that I *can't* let anyone see it, whether or not it's "secret". If your salesman is going to have to break British law to make a sale in the US, then he's not going to GO to the US. Or he'll have to take the steps mentioned in this article.
Say my office gave me a laptop with copy of Windows that was installed from a pirate key... that's "illegal". I could get detained *without reasonable suspicion* and possibly convicted because of that. Say I *don't know* the password to an "encrypted-looking" file on the laptop (like, I don't know, say a database contained within a business program accessed only by Word macros or company-created utilities - I have seen many such systems loaded on laptops for employee use). I'm detained until I release it.
It's not that I have anything illegal under US law - the US is not the world, though. Things that the US does are considered illegal in other countries. Let's not go too far down that avenue because it's just too easy to get into country-bashing.
It's that the US customs have no reason to demand inspections without reasonable suspicion. They certainly s
I would say that most sovereign nations have the power, not the right, to control who and what enters the country.
I've suggested this before, but I think it should be repeated.
You should also put something mildly embarrassing in the shadow drive. Something so that when the customs dude sees it, he can construct a plausible narrative of why you encrypted it. Naked pictures of a girl who could be your girlfriend (but definitely looks over the age of majority in the country you're flying to), steamy love letters that aren't over the top, evidence of a fake affair. Nothing illegal, just "improper." Bonus points if you blush when the customs agent sees them.
Use the Firehose to mod down Second Life stories!
Being detained by customs does not give you a criminal record. If you're a non-citizen, it may indeed cause trouble in entering the country again. To get a criminal record, you must be tried and convicted of a crime.
Luckily, that doesn't matter one iota. Hidden volumes in TrueCrypt are specifically for this very reason. Assuming you admit that you use TC and show someone the contents of the "dummy" volume, there is no way for someone to determine the existence of the hidden volume.
Support microSD: in a post 9/11 world, it is unwise to carry your data on media that you cannot comfortably swallow.
Some would say we have arrived long ago, but this is certainly a telling mark.
We are discussing "hiding legal and unincriminating" stuff so that we don't get hassled by government police. We have gone far beyond the "if you don't have anything to hide, you have nothing to fear" argument where now, even when you don't you have plenty to fear... in this case, potential loss of ability to work!!
They have been going too far for a while, but this is a point at which even the most common person can appreciate and understand the problem with this.
If the EFF were buying "public awareness" ad time on TV, radio and print (I haven't seen any if they already are) I'd donate $100 each month from now until "we've won" whatever that means. I'm sick of this.
Whaaa? So the Constitution doesn't apply to me as a US citizen is what you're saying? I thought the constitution applied to citizens, not a place.
So apparetly it only applies to people on US soil? With the way things have gone lately I guess it shouldn't surprise me, but it does, or more disappoints me.
That said, I've never had issues coming back through customs. They've never even glanced at my laptop let alone asked to handle it.
Whenever someone talks about standing up to whatever injustice in some way, someone always comes along to point out the people they're standing up to won't like that.
No shit, Sherlock. That's sort of the point.
If nobody ever stands up to this kind of bullshit, even in these kinds of small ways, it's only going to get worse and we're *all* going to spend a lot more time in tiny cold waiting rooms whenever we try to get anything done.
Does that mean I can shoot the border agent and not be prosecuted under American laws?
:-)
Try not to confuse 'legal fictions' with reality
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
You obviously haven't crossed the border a lot. I have. As a guest in the US, you don't get lippy with the border guys. You have no rights in that little room.
US border cops are not subject to oversight. Decisions are final and can be based on their gut feel. Unless you're an international big wig and can pull some strings with the ruling US gov't, you're out of luck.
I have seen at least a half dozen people arbitrarily get taken into the strip search room at the Peace Bridge in Buffalo. And this was before 9/11.
ipods. I mean, come on, they're nothing more than several dozen GB thumbdrives, you can easily put all your stuff on there and carry it with you without suspicion.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
(volumes cannot be distinguished from random data)
Aye, there's the rub.
Most files CAN be distinguished from random data. If not outright human-readable (text, XML, etc.), they start with header data which can be visually recognized with a little experience. File sizes are predictably reflective of the directory context. Browsing the rest of a file's content usually reveals non-random components.
TrueCrypt claiming to be indistinguishable from "random data" is kinda like the hotel security guy who was checking out my activity when I was bored (playing with video camera menu settings, waiting for someone) in a hotel lounge. It was obvious he was hotel security because he didn't have any official-looking paraphanalia AND was dressed in "I'm trying to blend in but don't know how" attire. It was obvious he was checking out my activity because he wandered close, looked around like he was looking for someone, and left - when there was absolutely nobody else in the lounge. And from his "I'm not hotel security, no really" dress & demeanor, I knew something would come of it - manifest a few minutes later when the Federal Marshals showed up.
A TrueCrypt file (or partition) hits the "uncanny valley" realm: it tries so hard to blend in that we become keenly & deeply aware that it doesn't; the deep-seated human mechanism for sensing "something is wrong here" kicks in.
It stands out precisely because it so completely doesn't.
Can we get a "-1 Wrong" moderation option?
See TinyURLs are evil URLs. Why does the URL length matter when linking on the web? For example, the link above has a fairly long URL, but it's not a problem. There's no reason to use a URL shortening service for links on web pages.
The reason such services should only be used where actually necessary, like in print or when verbally relaying a URL, is that they are a good way to hide the site. By using them unnecessarily for web links, users become less wary of them, making it easier for malicious uses. It's the same reason banks and similar entities should not send email with links to their site.
This is exactly it.
America is just now doing this? I was returned from Canada and they searched my luggage, laptop, read private conversations, opened letters all cause i was going to be staying 2 months which was too long of a vacation/job for them apparently. The guy was just a prick and didn't want anyone taking jobs. Canada is terrible for this but on Slashdot everything is the big bad USA. I'm so sick of the slant on slashdot. All countries do this its their right to refuse what type of people in their country. Some agents turn away illegal Mexicans cause they're scared of them taking jobs, some customs agents dont like the idea of a foreigner getting paid more than them.
-- "of course thats just my opinion, I could be wrong." --Dennis Miller
Standing up for something only works if you can inconvenience the other guy somehow. Border agents aren't paid by how many people they pass through the border, they're more than happy to let you rot out in the waiting room for hours if you try to make their job difficult. They're not even under any obligation to let you in the country unless you're a citizen returning from a trip. If you give them too much hassle they can (and will) just turn you away.
I read the internet for the articles.
Once you pass 6 years old, please stop trying to sell that "I'm just swinging my arms and if you run into them that's your own fault" BS. Eesh.
[theory, of course]
What is this, people? Waving flags screaming "I'm hiding something!"
If I actually had something to hide, say, key NDA-restricted docs, and I HAD to carry them on me, I wouldn't put up red flags like obvious encryption or a partition with some weird-ass hippiecommie suspicious linux install. If you want to fly below radar, you need stealth.
First: a vanilla install of windows or macOS. Standard business apps, standard documents folder with typical usage, such as correspondence, presentations, expenses, etc.
Second: family photos. Friends on vacation, etc. Make them more than typical: lots of them, and innocuous. If you're too straightlaced to keep personal stuff on your computer, that's suspicious too.
Third: on a different computer, encrypt your files with decent encryption, AES or something, using strong password. Make sure the file name isn't interesting. Doesn't matter, if a professional gets the files, they'll be cracked; the point is to keep them unobserved, so this part's kind of optional.
Fourth: mask them inside innocuous files like the photos. Transfer them to your laptop. Now you're camouflaged. Smile, respect, make eye contact, be naturally a tiny bit nervous but with nothing to hide.
The secret to security? don't get caught.
[/theory]
Damn those pesky terrorists
> Truecrypt can even store an encrypted volume on an unformatted unpartitioned chunk of hard drive. There's little way they can prove that that's anything other than some space you haven't allocated yet.
sorta.
Unallocated space wouldn't be filled with high-entropy random bytes. That's a tip-off that it has encrypted data.
Of course, you certainly have deniable plausibility there.
- For the complete works of Shakespeare: cat
Well, it's a question of whether or not "later analysis" is something you wait in line for, or something that happens later when you're already through. As long as you get through relatively unmolested, and with your machine, it's not too bad if they later want to spend their time detecting that personal secrets might have been present, and then try to crack AES -- all on their own time while you're not waiting and missing your connecting flights, appointments, etc.
As long as the machine appears to be "normal" to a superficial peek, you win. Their only countermeasure is to quarantine every entering machine for a few months, while they spend a few hundred (or thousand?) dollars (per machine) to examine them -- just to see if there's anything further to look at. Then they can mail you a letter if they want your key. In other words, the countermeasure would be so intolerable that the public wouldn't stand for it and Congress would have to take away the power.
Anything, really. As soon as bribable officials have access to your browser's password manager database or your email reader's stored login credentials, the risks resulting from the resale of the information, are so broad that there's simply no person who doesn't have something to be concerned about.
If we give the government all our data, everyone loses, except the bad guys that they're supposedly protecting us from.
"Believe me!" -- Donald Trump
He gives one piece of very bad advice, on the subject of keeping your data on a big memory card and keeping it in your wallet. He says:
'If someone does discover it, you can try saying: "I don't know what's on there. My boss told me to give it to the head of the New York office."'
Never ever lie to customs guys. If they ring your boss and he denies it, or if you later change your story and say "oh yes, that's really all my files", or if you can't instantly give the address of the fictional 'New York office', then you better start relaxing in preparation for them gloving up to see if you are hiding any other memory cards.
Same with hidden partitions. If, by sheer bad luck, you do encounter a tech-savvy customs guy and he says 'have you got any hidden partitions on here?', say 'Yes'. Better than saying 'No' and having them find out later.
I'm not saying roll over and give them everything - you have rights - just don't lie.
Even as an atheist, my time here is important enough not to waste it with trampled rights.
But otherwise, yes, you're right.
I guess the trick is to help make everyone a POI. Do all that crap to everyone, and 10 people will be able to enter the country per day. Then someone in power with some sense -- no wait, let's be realistic: someone in power who is tired of getting thousands of complaints per day and being the subject of a TV news show every week -- will say, "fuck it, we have to stop doing this. I just got into government for the drug and 'escort' money; I didn't run for office to be ridiculed and impeached all the time. I have a meeting with a rich industrial lobbyist in 20 minutes, and those '60 Minutes' reporters are still here in my office, asking me what my response is to the recall petition. *sigh* Julie, get me Senator Disney on the phone. We need to talk about a bill that dissolves customs. I can give him 20 more years tacked onto copyright, if he'll support this for me."
"Believe me!" -- Donald Trump
I've oft-wished that you could have a completely transparent boot loader that used held-down keys to determine which OS to boot into (with one key to boot into a menu.)
Buy two MicroSD cards.
Put one in a camera. Leave a whole bunch of inane pictures of it.
Use the second one as your main file store. At $20-25 for a 4GB card, they're cheap. They're also 15x11mm, so small you'll "lose" them - oops - in your checked luggage and are never going to be spotted by a bored inspector, that barely graduated highschool, watching hundreds of thousands of large bags going by.
Alternatively, stick it in a GameBoy DS. They have SD readers. Look utterly bored as you wander through, in flight toy in hand. Odds of their bothering to inspect a children's toy and find something that looks like it's supposed to be there anyway, are next to zero.
At customs, look bored, hand over your largely empty laptop and meaningless digital camera.
Let them copy off anything they feel like. Don't fight it. Don't complain. Let them think they've got everything.
Once you're back on the other side, put the other card back in, get access to your files again.
No, it won't stop them if they're utterly convinced you're a terrorist. They'll take everything apart and will eventually find that tiny thing. The abusive copying of anyone's crap, with no grounds for suspicion, is going to leave them copying junk that means nothing to them. There's simply no time to search everyone to the degree they'd find the few people with a MicroSD card. And, even if they do, it's a totally legitimate thing to do so you can claim total ignorance.
4GB should be plenty for most trip type info. Sensitive business docs should easily fit in to that. If you store porn on your laptop, leave it on an external drive at home for when you get back. If you really must have some with you, if you need more than 4GB, it's time to admit you've got issues.
It is like that guy going out of the WalMart with a ladder and then the guard asked to see his receipt. Instead of just getting the receipt from his trousers' bag and showing it, the guy had to do a complete show. It does not take you more than 10 seconds and on the other side it can prevent you a lot of trouble.
They have no right to detain you for not showing a receipt. You have no obligation to show a receipt. The worst that can happen is that they ask you to leave, something you were obviously doing anyway. If you really piss them off, they can tell you to not come back. But they can't hold you, charge you, ask you for identification, or anything else of the kind (well, they can ask for whatever they like, but you don't have to comply with any order or answer any question). They have to have evidence for that, and being an ass isn't evidence of anything other than a poor upbringing.
Shit, it can even save your life, imagine if the guard guy was just about to go postal and decides that you are the straw that broke the camel's back and decides to fill you with pieces of lead.
Yes, I should live my life like everyone is armed and willing to kill if I don't do everything they say. Even if, like the guards at Wal-Mart, they aren't armed.
Learn to love Alaska
or, if YOU can't prove there ISN'T one, they keep the notebook.
DRM: Terminator crops for your mind!
Okay.
You go first, we'll follow your example.
1. When conferences are being organized, avoid US sites right there in the planning stage. (This is already happening in my field.)
2. When travelling to a US conference, travel with a blank default install Windows or Mac box with no personal or private data on it at all. Do not carry any form of data with you (whether encrypted or not). If it is necessary to access private data, do it over an encrypted connection to the non-US based home server using a terminal session. No data is stored on the portable computer. If the hard drive is seized, there is nothing to get. (This is the solution being used by local doctors and lawyers travelling to the US where there are no privacy laws.)
Anything on your person when travelling to the US can be seized and you can be forced to give any passwords to anything encrypted.
Obama bin Laden must orgasm every single night at how spectacularly successful the 9/11 attacks were. It has to be the greatest success story of any kind thus far in the 21st century. Hate the guy all you want, he got everything he could ever want and then some.
See, the problem is, there can be an unlimited number of encrypted volumes -- they can even be nested. So no one can ever prove that there are no more hidden, encrypted volumes. If someone demands that you show them the second one, you can show them a second one -- and not the third, fourth, or fifth ones.
So unless you're suggesting that anyone using Truecrypt, for any purpose, will be detained indefinitely, it seems like a pretty solid bet.
Don't thank God, thank a doctor!
This is another reason heavy travelers should move away from the laptop.
You can either set up a flash drive (or even an MP3 player), giving you data portability and even applications and file security if you set it up. But the best solution is to use a mobile device, like a Blackberry (I refuse to recommend the iPhone until the device has SOME form of security on it, obscurity is not security). You could also try Palm or Windows Mobile, but those seem to be more trouble than they are worth.
The TSA drones are lucky they can figure out how to tie their shoes, so I'm sure telling them it's "just a phone" won't be much of an issue.
Searching laptops at airports has nothing to do with securing our freedom, and if you think it does, you've been had and/or are extremely naive.