Slashdot Mirror
Tips For Taking Your Laptop Into and Out of the US?
casualsax3 writes "I'm going to be taking a week long round trip from NYC to Puerto Vallarta Mexico sometime next month, and I was planning on taking my laptop with me. I'll probably want to rip a few movies and albums to the drive in order to keep busy on the flight. More important though, is that I'm also going to be taking pictures while I'm there, and storing them on the laptop. With everything in the news, I'm concerned that I'll have to show someone around the internals of my laptop coming back into the US. The pictures are potentially what upsets me the most, as I feel it's an incredible violation of my privacy. Do I actually need to worry about this? If so, should I go about hiding everything? I've heard good things about Truecrypt. Is it worth looking into or am I being overly paranoid?"
No one is going to search your computer other than to make sure it is a computer and not a bomb.
Make sure you have a backup of the pictures before you enter the US. Secure online storage is cheap. You can refuse to give them the password but they can take your laptop for "analysis."
Short answer: Truecrypt (as you mentioned in the summary.) Is it worth looking into? Yes. Are you being overly paranoid? No. Seriously, have you noticed the big brother trends recently? Truecrypt is very simply and effective encryption, in several forms, from simple encrypted containers to hidden O/S partitions. To take such a simple precaution is not, IMHO, overly paranoid.
http://clightnirish.wordpress.com/
...encrypt it. Full disk encryption is relatively cheap, easy, and unobtrusive.
And ineffective, unless your privacy is worth more than the cost to piss them off and have to replace your laptop.
But uh, mind if I ask: exactly what kind of pictures are you planning on taking on your vacation? ;-)
It shouldn't matter what kind of pictures he takes. It is none of their business.
But uh, mind if I ask: exactly what kind of pictures are you planning on taking on your vacation? ;-)
A subtle "if you have nothing to hide then you have nothing to fear" poke. Haha.
It doesn't matter what kind of pictures he takes with him on vacation. He doesn't want a bunch of random law enforcement officials looking at his private pictures. Understandably.
As the old traveler's adage goes, if you can't afford to lose it, don't bring it.
Find a cheap laptop used laptop you won't have problems with ditching. Use a live cd or usb key boot solution so nothing ends up on the hard drives.
Keep your pictures on SD cards and mail them or a copy to yourself or some drop point. Encrypt them all.
I've taken my laptop across the border 4 times, my wife has done so many times more, neither of us have had our laptops searched. I've been pulled aside by customs and asked questions once, but even then they did not request to see my laptop. I think the bottom line is, if you act shady they'll look at your stuff, if you're just getting your business done then you're fine.
Truecrypt would not help: If they really wanted to see your content they could ask you to show it to them or alternatively confiscate your laptop and decrypt it themselves.
Truecrypt provides plausible deniability - the capability to create a hidden encrypted volume within another encrypted volume, thereby allowing you to grant access to unimportant/dummy data when a password is asked for without the attacker knowing additional information even exists.
As for the US government just decrypting the colume themselves, as far as I know they simply don't have that capability. If your boss knows otherwise or has knowledge of ways to defeat Truecrypt's plausible deniability then (s)he should provide some kind of evidence to back that up, otherwise this just sounds like uninformed guesswork or pure tinfoil-hattery.
Spelling mistakes, grammatical errors, and stupid comments are intentional.
An ounce of circumvention is worth a pound of countermeasures. Don't store them on the laptop at all. Store the pictures you're taking online and you'll be able to access them from anywhere. Border patrol can't find something on your computer when it's not there. Even if that's not feasible 100% of the time, you could still make a temporary archive online while removing them from your computer. If even that has you feeling paranoid, you could always burn the files to DVD, wipe them from your computer, and stow the DVD.
Offshore laptop rentals with temporary accounts linked to offshore data are booming! What a great business model. You set up an account with the company, stuff all your crap on a server, then when you get to your destination, you pick up a laptop (maybe your "rental fees" are part of your normal monthly service account)... logging in to the laptop mounts the remote volume and download away.
meh
Truecrypt provides plausible deniability - the capability to create a hidden encrypted volume within another encrypted volume, thereby allowing you to grant access to unimportant/dummy data when a password is asked for without the attacker knowing additional information even exists.
Well, there's that, and the fact that no file can be positively identified to be a Truecrypt volume. Until you you give a password it just appears to be random data. High entropy random data, but the guy at the border is looking for a 5 minutes spree tops - I seriously doubt he knows what entropy is let alone enough to check for it.
If you're that worried create a volume with nearly same size as your system RAM, keep it in a directory with some source code (even write a stupid program that will crash if you want) and just name it "core" or "core.dumped". If asked about it tell them when you were testing your program (that does whatever you want to maekup) it crashed and dumped memory to file. It's probably just corrupted nonsense . . .
"People who think they know everything are very annoying to those of us who do."-Mark Twain
No one said it is happening to everyone. That misses the point entirely. Illegally searching even a small percentage of people is unnacceptable. Especially since people affected by this have almost no redress and the DHS doesn't even accurately report when they do this.
I guess its only a problem when it happens to you. Maybe you should pick up a history book and find out how well that attitude worked in the 1930's and many other time periods.
If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
There's only one solution that guarantees that nobody will rifle through your data: don't bring it with you through the border crossing. That's what servers are for... and SSL, or at least SSH/SCP/SFTP.
Check out my sci-fi/humor trilogy at PatriotsBooks.
The smart thing to do is stay the hell out of the country. It's not safe. There are systems in place to make a person disappear into a concentration camp forever. Whatever justifications are made for their existence, all it takes is for some small minded official to decide to start the process, and you are totally fucked.
-1 Uncomfortable Truth
Only children think in terms of the worst things that could happen to them. Every day, when I leave my house, I could get run over by a bus. I could get ass raped in a jail after being unfairly imprisoned by a cop for a crime I didn't commit. My house could be robbed. My person could be robbed. My car could have a molotov cocktail thrown at it. I could catch some nasty disease from a toilet seat.
Note I spend about zero time thinking about these things because the chances of them happening to me are about nil. Ditto having my laptop searched. What are they going to find, my porn stash? WTF do I care, really. It's not worth a moment of my life to worry about.
I retort: Maybe you should grow up and worry about things that are important, like where your next meal is coming from. I hear that it's growing fashionable now.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
But I dare say you may be safe... after all, TrueCrypt has probably received a visit from No Such Agency.
Google for crypto nsa backdoor
I think it is much easier to bring 2 USB keys to Mexico, move the data on them and send them home via regular mail, separately.
this post contain no useful information, no need to mod it down
they're have been over 20 lawsuits filed against US customs for them doing that exact thing (how many didn't sue?). So it is very unlikely the someone from customs will look at your laptop data. But not a absolute by any means.
Now the likely hood of those outside of US customs (ie a thief or friend, etc) looking at it is infinitely more likely. They may even blackmail you with that data. So it is a very good idea for him to encrypt the incriminating photos,etc and a few other things for kicks. I wouldn't worry about the video files ripped from DVD, at most rename them to something less obvious (for windows just change the extension, they won't even play then) Besides if you watching them on the plane the air Marshall seeing(and caring) you play them is slightly more likely anyway. Since entering the US is the only time you'd see customs just delete them as you watch And empty the recycle bin (restore from backup once home.)
Such a plan is an invitation for disaster and confiscation. Don't think for a second that encryption isn't a red flag. And if they could decrypt (I believe for many reasons that there isn't such a thing as an unbreakable cypher) your data, why are you angry? Would they steal it? Put it up on a flickr site?
Yes, the entire program is a total affront to both US Constitutional rights to reasonable search (this isn't), to privacy (yes, we need a real amendment) and just plain human dignity.
If you have important data, drop it to a DVD. Put that in a separate place. Carry lots of them. Don't look like a terrorist or mad scientist as you go through customs and immigration. Then restore your data as needed. And feel free to make your computer bag as messy as you can.
---- Teach Peace. It's Cheaper Than War.
No, problem not solved. He specifically said that he wanted his laptop for the flight, so your solution is no help there. And it is much, *much* easier for them to search your stuff if you send it through a private carrier. There's no expectation of privacy so they can inspect it without a warrant, which is effectively the same as physically carrying it through customs. But this way there's no upset traveller yelling at them and wasting an officer's time, and more imporantly, there's no way you would ever know if your laptop was searched.
I know it's the hip thing to worry about Customs rifling through your laptop, but statistically, you have much better things to worry about when bringing your laptop on vacation ... among other things:
0) Forgetting to bring the AC plug adapter,
1) Customs services in the foreign country,
2) Airport security on both ends,
3) Simple theft of the laptop during the trip,
4) Putting your laptop bag down on the bus and forgetting it,
5) Spilling coffee on your keyboard at an internet cafe, and
6) Dropping your laptop on your big toe and breaking both.
Practically speaking, Customs agents can't be bothered to search individuals that aren't acting truly "hinky". I've been traveling internationally on a regular basis for business. My travel patterns certainly fit a certain "risk" profile (long stays outside the country, frequent travel, watch list name match, etc.) and I've never, in six years of this, ever had anything searched or questioned, much less seized. Practically, it's not worth worrying about.
And that helps when they confiscate your laptop and "lose" it... how?
Pictures: Store them on a high-capacity USB drive, SD card, or other small device. Hide it. That way, if they get your computer, they still won't get your pictures.
Movies: Why I iPod ya? I think they're less likely to grab task-specific devices over computers. And they cost less.
Either way, by bringing along a laptop, there will always be the risk they simply take it and lose it. No amount of data trickery can get around that.
Towards the Singularity.
Truecrypt provides plausible deniability - the capability to create a hidden encrypted volume within another encrypted volume, thereby allowing you to grant access to unimportant/dummy data when a password is asked for without the attacker knowing additional information even exists.
To do this you need the TrueCrypt bootloader installed, which is a dead give-away that you probably have a hidden volume. If you don't and they suspect of being a terrorist sympathizer you'll just get thrown in Gitmo until you give up your secrets.
TrueCrypt plausible deniability is useful against those who cannot employ deadly force against you.
If you're really concerned, wipe the drive, install linux on a small partition, use an encrypted network connection to upload the photos, then secure wipe the drive and install Windows XP on it for your border crossing. Better yet, get a $50 used laptop and leave it with a local school.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Go a step further. Take a 16GB flash drive, and create a 512 MB partition on it. Mount the rest of the drive using a 512 MB offset, and put your encrypted volume on that. Place a few scenery pictures on the 512 MB fat32 partition, and finally print up a label that says 512MB and stick it on there. They wouldn't even come close to seeing that there is an encrypted volume hidden on there then.
So, you don't believe in life insurance, then? How about property insurance? Do you even lock your door when you go out? I don't worry too much about getting killed or having my stuff stolen, but that doesn't mean I don't take reasonable precautions for it. Having those precautions in place saves me from worrying about it.
Personally, I don't worry too much about where my next meal is coming from, because I have a job. If I lose it, then perhaps I'll worry, until I find another one.
Millions and millions of people travel with their laptops to all countries in the world. Just about no one has problems. Keep things in perspective.
Yes, you should be concerned about laptop searches and seizures as a general principle of public conduct. No, you shouldn't be at all concerned about your laptop on your trip.
Extending off of this idea, My solution for travel to the US was to remove the hard drive, leave it at home, and run my laptop off of an ubuntu livecd. Any data I wanted to keep was stored on SD cards purchased in the US.
Note I spend about zero time thinking about these things because the chances of them happening to me are about nil.
Which just goes to show how bad people are at understanding small probabilities.
It's foolish to completely ignore possible bad events just because they're unlikely, just as it's foolish to spend lots of time preparing for most unlikely events. The right way to handle unlikely but severely damaging events is to spend a small amount of time on them, and use that time to mitigate the risk to whatever extent is feasible.
For example: you could get run over by a bus. Therefore, it's prudent to pause for a half-second before crossing the street and look both ways to see if perhaps a bus is coming.
You could get unfairly imprisoned by a cop for a crime you didn't commit. Therefore, it's worth learning a little about what you do and don't have to say to police in order to minimize the probability that he'll be able to find probable cause for an arrest, and it's a good idea to have your attorney's phone number in your cell.
Your house could be robbed. So, you should have insurance that covers theft, and should take 15 minutes once a year to video the contents of your home, and store the video in your small fireproof safe (where you keep important stuff to address the small probability that your house will burn down).
You could catch a nasty disease from a public toilet seat. Well, you could use one of those seat protectors, I suppose. Personally, I think the risk is too small to bother. I do, however, make a habit of grabbing a piece of toilet paper to wipe off the seat before I sit down. This would provide some protection from nasty diseases, but also addresses the much more likely issue that someone may have peed on the seat.
And so on. Don't ignore small risks, just take appropriately small actions to mitigate them to the degree that makes sense. If you need to figure out how much makes sense, just come up with a dollar figure that values what you'd lose if the event happened and multiply that by the probability of the event happening in a given year. That's the expected annual cost of that risk. Pick an hourly wage for yourself, divide the risk cost by the wage to get a maximum amount of time that it makes sense to spend addressing that risk.
In the case at hand, it's probably worth a few minutes to type an Ask Slashdot question and read the answers, then a few more minutes to implement whatever seemed to be the best EASY suggestions.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
We flew into Munich, traveled by Train to Austria and returned to the US via Munich. We had no issues other than US Customs wanted to review the food items we were importing and declared. We knew that when we bought the Austrian chocolate and it took maybe an extra 5 minutes to go through the Agriculture lane for customs.
I did burn a DVD of my pictures as a backup, more in case the laptop was stollen than if US Customs wanted to retain the laptop.
Get over the paranoia and go see the world.
I believe for many reasons that there isn't such a thing as an unbreakable cypher.
Theoretically that is true, but the computational complexity (i.e. the number of operations required to solve the math problem) of modern crypto systems is such that rarely will an informed and determined adversary attempt to brute force the crypto system. In fact the number of operations and computing power required render the entire attempt hopeless, since the data cannot be recovered in this way within a single human lifetime (i.e. 120 years) even when the resources available to first world governments are taken into account. It is more likely, assuming that they have no qualms and are determined to get your data, that black bag or rubber hose techniques will employed instead. Basically, if the computer leaves your sight and possession (i.e. it is taken into the back room before being returned to you) then that particular computer can never be trusted again, which is why you should have a backup of your data somewhere else, preferably on a secure off-site server, before you begin your travels and regularly update it during your trip. As far as I know, from my background in Computer Science, modern cryptography provides security that it at least as good as any alternative method and most probably substantially superior to those alternatives. The mathematical and theoretical foundation of modern crypto is well understood and proven (the government also uses these same or similar crypto systems for their own data, so draw your own conclusions about the effectiveness of modern crypto systems).
Don't think for a second that encryption isn't a red flag
So what if it is? Do we surrender our rights under the Constitution because authoritarian elements within our government are treating us all as criminals and terrorists with something to hide? Shall we surrender to fear and give up our rights in response to terrorism or criminal activity and in exchange for what? The promise of those some government agents to protect us against the bad guys? No thanks, I will take my chances with my rights intact. A right not exercised is a right that does not exist except on paper. We should all encrypt all of our data in order to more effectively assert our collective rights against unwarranted search and seizure.
And if they could decrypt...your data, why are you angry? Would they steal it? Put it up on a flickr site?
It is the principle of the thing. The government in the US exists because of the consent of the people. Here in the United States, at least according to the Constitution, the individual citizen is sovereign and any powers not specifically granted to the government by the consent of the people are reserved to us the people. I would rather that everyone walk around armed to the teeth and encrypt all of their data then live in an authoritarian nanny state where big brother is watching.
If you have important data, drop it to a DVD. Put that in a separate place. Carry lots of them.
There are many ways around their schemes (some better than others) and that is one of them. The fact that determined and knowledgeable adversaries can slip through undetected makes this whole piece of security theater even worse. It only inconveniences and compromises those citizens and people who are not able to, by reason of ignorance or incompetence, protect their data (which almost certainly would not include anyone intent on doing real harm).
Regular people, just doing ordinary legal business now need to worry about this?
What the fuck is up?
Doesn't this read more like an item that one would have expected to read - historically - by someone concerned about a visit to the Soviet Union, East Germany or Argentina? Looks like the Soviets didn't lose the cold war. There are just 1st and second runners-up, with both losers in a 15 year period, no? I mean, you fuckers used to have LAWS. You used to have a Constitutional validation of basic individual rights! But, I guess there are more important things to a nation, than the consent of the governed.
In America, Soviet Union becomes YOU! You fucked up, America. And now you no longer exist in any meaningful context. The only single thing that defines you as a coherent entity within your borders is the way in which you are taxed - without representation.
I don't know if I am angry or sad. But it is sad.
"Flyin' in just a sweet place,
Never been known to fail..."
Simply upload your photos from your hotel room (or an Internet cafe) and delete them from your laptop before leaving for home. Viola.
why data on one's person should be excluded...
I think if the person is, for example, a lawyer, the data in question could be protected by attorney/client privilege, and therefore they could face disbarrment for disclosure, even were it done under color of authority.
I imagine, in fact, that this is a real issue for lawyers attempting to operate on behalf of the detainees at Guantanamo Bay.
But I'll also answer the question in the subject, as to why it should not simply have an exclusion cause for lawyers, instead of being struck down for everyone: because it's in my head and they have no right to search my head. What's the difference between data in your head and data encrypted with a password stored in your head? To me, the data is in your head, and the data on the hard drive is just a useful memory aid.
Oh, and if the original poster is more concerned about them getting his data than about losing the laptop, make a one time pad, make a copy of it, put the copy of it in a safe deposit box, travel outside the US, and then after encrypting the data with the OTP, destroy the OTP so it is impossible for you to comply.
-- Terry
You're absolutely right, it'd be downright trivial to confound any "homeland security" flunky. Those wretches couldn't find their own genitals with both hands and a flashlight.
What bothers me is that we're even talking about this like we're troubleshooting a minor tech issue. Why the hell should we have to even think about this? How did we get a place where this is an issue to deal with?
What comes next... they require us to install and run a government supplied application to scan the disk? I mean... that would be in our best interest, right? It'd shorten the lines and protect our children from terrorists at the same time? It's lightweight and unobtrusive, while protecting our freedom?
This country has a horrible sickness, and no politician is going to cure it. I'm about as normal a guy as you'd ever meet... but something has to happen to wake us the F* up, and I afraid it'd have to be something terrible.