Slashdot Mirror
Whitehat Hacker Moxie Marlinspike's Laptop, Cellphones Seized
Orome1 writes "The well-known whitehat hacker and security researcher who goes by the handle Moxie Marlinspike has recently experienced firsthand the electronic device search that travelers are sometimes submitted to by border agents when entering the country. He was returning from the Dominican Republic by plane, and when he landed at JFK airport, he was greeted by two US Customs officials and taken to a detention room where they kept him for almost five hours, took his laptop and two cell phones and asked for the passwords needed to access the encrypted material on them."
Fuck the TSA goons. Those fucking low-rent frotteurs have it coming to them.
I'm still not sure how this doesn't violate the Fourth Amendment. Customs has the right to view your belongings for *safety* reasons, and to ensure that the items you are carrying are not contraband. Does code constitute contraband now? Can you be arrested for having code on your machine? I'm not talking about copyrighted, installed programs.... if something is encrypted, isn't that the same as having a secret in your mind? You know they dumped his drive, but the main question is whether they're allowed to. Isn't that stealing from the passenger then?
I know they were returned to him, but couldn't he have used hidden volumes or something for his laptop so that they wouldn't ever find it in the first place?
Link to longer article at CNET
It's like the duty-free shop of search & seizure.
took his laptop and two cell phones and asked for the passwords needed to access the encrypted material on them.
Really, why try to sensationalize a story by omitting its outcome?
The fact that something as diriculous as "incoming data storage devices searches" even
exist should be enough of a story by itself, and that has been known for quite a while.
i dunno bought installing anything on his devices if they couldn't get in. but it would be unlawful for them to do so. of course this is the government where talking abought. i say destroy all data re flash keyboard firmware.
I worked through this policy myself as an intellectual exercise (A protocol for China. Or Defcon. Take your pick).
Basically, take a laptop with an easy to swap hard drive. Swap in a new drive, with a clean image, and no access credentials except to a temporary dropbox account for emergency mail and/or working set.
Now if you are intercepted, there is no data TO capture, and you can remove all but hardware/bios trojans by a wipe and reinstall.
As a bonus, you can just take out the drive, hand it to customs, and let them have fun with it.
Test your net with Netalyzr
No, I cannot give you the password for the harddrive encryption Sir.
You see this is not my laptop. It belongs to a company myname plc. If you want to obtain passwords for it you have to approach our legal department about it.
It's not about the hassle of it all. it's not about having the "peace of mind" that privacy as we often refer to it brings, and it's not about sheer rebellion. We want to keep our freedom at the borders for simple reasons like this one. The possibility that ridiculously strict flight checks could have much wider impact that what is currently purported. Just like how a company recalls defective products for the small possibility that someone could get hurt. Why aren't our laws as reasonable as that? Because it's much easier to use fear and lack of knowledge in a shot-gun approach to looking capable at security while getting some gravy on the top in the form of a social surveillance mechanism. So far, it's working.
The eternal struggle of good vs. evil begins within one's self.
The constitution only protects against "unreasonable" search an seizures, with unreasonable being up to the interpretation of the courts. Border searches have long had a broader definition of reasonable (since the very first session of congress), and are not limited to safety and contraband. FindLaw has additional commentary on the issue.
Our story begins with Moxie Marlinspike seated in a detention room. Unbeknown to his interrogators, he had shipped his real laptop and cell phones ahead of his flight.
Fed: What's the password of your PC?
Moxie: Goatse.cx
Fed: How's that?
Moxie: You know, "goat sex"
Fed: Huh? Er, how are you spelling that?
Moxie: G O A T S E dot C X
Fed: Oh, okay.
Enters password, waits for the PC to boot. Upon booting, the desktop background is the infamous image. And the hard drive is filled to capacity with files having the most intriguing names. One by one the agent opens files only to discover every single one contains the infamous image.
Fed: Thinking to himself: I have got to make a copy of this--Big Sis is gonna love it!
He should`ve walked back to America, or get off the plane at a precisely more frugal waypoit. I bring a parachute with me on every flight and it will save my life more than a blow-up preserver or overhead oxygen dispensor ever would. It is the point of encryption to isolate searchable data from encrypted data known as an executable. Customs shouldn`t search his binaries when they are looking for porn on someone` laptop in all the wrong places. Some of us need to b e somewhere, especially consultants and bankers!.
If the govt. is interested in you, it's going to be interested in your computers and cell phones. Makes sense, right? So if you don't want the govt. diddling your electronics, don't carry them on airplanes or across an international border. Isn't that pretty simple? The alternative is to have multiple sets of cell phones and computers: one set with all the good stuff on it, one set with nothing important on it that goes with you on planes and across borders so the government agents will have something to amuse themselves with when they detain you.
What exactly is the advantage of harassing one of the good guys?
I would never trust my hardware again once I had handed it over to some customs (or other government agent) goons, and it left my sight. I would rather just remove the hard drive and hand it alone over to them, at least then I wouldn't have to trash the whole thing.
There's really no way to be 100% sure you successfully "re-flashed" the BIOS, or cleaned all hardware as some posters have said they would do. Not to mention: There could be additional hardware installed, 5 hours is a long time...
You could tear your machine apart and inspect it all you want, but it's well known once the enemy has unfettered physical access to a device, all bets are off.
I travel to the US a lot for business. What I do is Fedex my "real" hdd to the hotel I'm planning on staying at, usually 1 day before travel to the US is enough for it to be there waiting for me when I arrive at check-in (obviously its an encrypted disk).
I travel with my laptop, with a small capacity hdd that has a clean install, some common oss apps installed, some bogus documents downloaded from scribed, some fake e-mail accounts with credentials saved in firefox and some typical surfing history. The aim is to make them feel like they've found the stuff they're looking for and that there isn't anything worth pursuing - rather than trying to be a smart-ass that makes them even more intent on performing those unwanted rectal examinations. I've had my laptop taken twice in the last 3 years, and on both occasions after providing access details, I was given the laptop back within 5-10mins, other people i know that tried to screw over the TSA/customs by not providing all the access details they wanted, ended up never seeing their machines again.
Though now with the new scanners at play in the airports, I'm trying to reduce my travel to the US to a minimum. If I have to travel, I charge a premium for the various inconveniences endured, most clients are sympathetic and pay without much fuss.
better still: cat /dev/urandom > /dev/hda # eat my highly-encrypted shorts
It's in the on-board flash ROM, so you can't easily wipe or check its integrity. Not only BIOS can be reprogrammed, but hardwares like GPUs, peripheral controllers have its own ROM with complete RTOS in some cases. I have a RAID controller I've got from a junkyard. I noticed it has intel logo on the big chip, googled it and turned out it was a ARM-based single board computer which seemed to be capable of running full GNU/Linux.
>Customs is a legitimate and competent part of the government
Really? Customs have become an arm of the MPAA and RIAA.
Yeah, we need CD-Rom sniffing dogs, not monitoring illegal aliens, not enforcing laws that punish employers that hire illegal aliens at half of minimum wage.
Fight Spammers!
There is a very simple solution to all of this sparky. Put data on the internet in an encrypted format. When you are away, you put the information up. Leave the computers and phones clean. Squeaky clean. Annoyingly clean. Oh sure, maybe you can put up some really bad videos, and ads about how the TSA and FBI are violating rights for detaining travellers an inappropriate amount of time. You can encrypt something with a hard cipher, a message such as "Its wrong for the NSA to steal other peoples data, and then demand passwords."
Reinstall into hardware they scanned and logged all the unique stats off? You can wipe, change some hardware numbers but they will just look for your computer again.
Why glow so bright online but they will get back to you via a sneak and peek soon enough.
Domestic spying is now "Benign Information Gathering"
Shamir's method is proof against production requirements if you do it right. Any whitehats traveling international should become familiar.
I can't think of a single thing that could be carried on any laptop that warrants the harrassment of millions a year.
Even if a 9/11 scale event happened every single year, it would take more than four years to match a single year of alcohol-related deaths in the U.S.
Problem is it is going to have to get tested in courts, mostly likely the supreme court, and that takes time. Searches at the border themselves are completely legal. That has been established long ago. You have no expectation of privacy there, and the government has a right, and duty, to secure its borders. However the idea behind this was searching for contraband more or less. A regular search. The whole "copying your entire harddrive" or "taking your computer and not giving it back for months" is not something that was considered because such devices weren't around.
Well that being the case there's three ways this could change:
1) The president could order it stopped. Even if the government does have the authority, they don't have to exercise it. However the whole thing started with the executive and it is pretty clear the president has no wish to put a stop to it.
2) Congress could pass a law stopping it, or more generally defining what is and is not allowed in border searches. Pretty clear they are not at all interested in that.
3) The Supreme Court could find the searches unconstitutional. I think there's a reasonable chance that would happen, but only if a case reaches them. Unfortunately that is kinda hard. More or less someone has to either be convicted of criminal charges base don evidence obtained in this way, or harmed by it in some manner giving them standing to file a suit. It then has to work its way up. Also, it needs to be a good case. Any civil rights lawyer that would take it up to the SC would want a solid case because if you lose, then you are fucked and getting it reversed would be near impossible.
As such this shit will probably continue for a good while.
What you can do about it is write to the president and your representatives and let them know this is an issue that matters to you and one you'll vote on. The only hope of getting the practice changed any time soon is to get the president to order it halted, or congress to pass a law preventing it.
Here is how he should have responded...
http://www.youtube.com/watch?v=XierBpLGgwQ
There are no safeguards for these thugs of Customs-enforcement from puting those materials onto the computer's magnetic storage because there is a financial incentive that rewards for displacing such content onto those tools.
It looks to me like all these Federal agencies are just a bunch of perverts that show-up and say they want you to sell them Child Porno, Alcohol, anti-United States media, Fire-Arms, Tobacco, and nuclear weapons: what are they going to do with such material when they have hold of it, other than enjoy it like the rest of the world does?
Tell them to get their own porno, they don't need my computer to watch porno on or use my computer to download and watch porno on. No safeguards whatsoever, and they are running a-muck about it with their double-speak words.
Customs: "HEY MISTER, WE ARE LOOKING FOR PORNO! GIVE US YOUR COMPUTER! WE WANT TO FIND PORNO!"
Me: Porno is immoral material, and I don't want you to put porno on my computer.
BATFE(ces): "HEY MISTER, we want to shoot your guns and ammo while we smoke your cigars and drink boos, give to us now"
Me: Cigars are for my pain-relief, Alcohol for me to forget the stresses of the day, and the fire-arms are for protecting myself and others from any that take property without compensation even if ployed by unethical currencies."
I think that last point is a little silly, but I agree that there isn't anything good reason for them to be looking at the data on laptops. The only possible reason I can think of is that they hope to get lucky and stumble across something objectionable, like child pornography or .txt files containing detailed contact information for Osama.
The soon to syndicated series - "so much for the forth amendment". Check your local listing for the next show time and channel!
No need to travel to work if you work from home. I own a St. Louis Marketing firm, I should know!
Kathryn Sias http://www.oassist.com http://www.kathrynsias.com
Then get rid of your computer. Seriously, because something like that you aren't talking half-assed law enforcement agency (which is what CBP is) you are talking national intelligence agency that really, really, wants your shit. Well you think that the only time they could pull something like that is at an obvious stop? Not hardly. They could do it before you ever get your hardware. So you order a new motherboard, they intercept the motherboard in transit, replace it with one they've modified, and on it goes to you.
At some point, you have to realize that it is just not worth it, you aren't as valuable as you think you are, and simply trust that your computer is probably fine. If you jump at shadows as badly as your post suggests, then you can never trust any computer ever that you didn't personally build every part on yourself.
haha!
Be sure to start this a few months before you leave. /dev/urandom is INCREDIBLY slow, second only to /dev/random... /dev/frandom (which requires a custom kernel module) is probably "good enough".
I just tried to reply to someone in this thread about how Kitty Pron (only spelled the other ways) was one of the root passwords to the US constitution and the submission just evaporated.
So yes, kitty pron, and drug stuff, is "contraban" so subject to border search no matter how unreasonable that is. (we cannot keep cell phones and drugs out of prisons but we expect to keep _information_ from penetrating our border... go figure.)
While it was a tad sarcastic it was in no way "filter worthy" and it _was_ previewed and submitted.
So apparently our draconian guardians exist here as elsewhere. All hail the nany state. Zig! File!
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
>>Even if a 9/11 scale event happened every single year, it would take more than four years to match a single year of alcohol-related deaths in the U.S.
That's a poor way of thinking about it, kind of like saying that banks shouldn't have security guards because over 99% of robberies take place outside of banks.
That said, though, our national security system is incredibly brain dead in some parts. Janet Napolean, what can I carry in my shoes that I can't carry in my pockets?
So...
Whatever happened to him in the mean time is OK so long as it reaches a satisfactory conclusion?
Most^H^H^H^H Some Slashdotters are smart enough to understand that the ends never justify the means, that this person was picked on, detained for 5 hours and subjected to an invasive search was _not_ all well and good because he got his laptop back.
In the end, I'd put good money on this person being picked up because he was coming in from the Dom Rep rather then because he was Moxie Marlinspike. The TSA likes to pick on single males coming in from potential sex tourism destinations, perhaps because it's the low hanging fruit. Bust a few guys coming back from the Philippines with some home made porn (a pic of a naked Pinay is not hard to get) and make it look like you're doing a great job, after all who would defend these dirty sex pests (they are probably all pedo's anyway). Incompetence rather then malice, but the end result is the same.
Calling someone a "hater" only means you can not rationally rebut their argument.
Or how long it would take that the 160 000 civilians what U.S Soldiers and its mercenarys has killed. Oh, they were not U.S Citizens so it is not big deal.....
Keep your data in the cloud somewhere protected with passwords and secure protocols (SSL, SSH etc). If you need to do work on an airplane flight where internet access is unavailable, you download the data before you leave. Then you do your work on the airplane. Upon arriving at the destination but before passing through customs, find a place with a WiFi or 3G connection to the internet and upload any changed data.
At the point where you no longer need to actually use the laptop, you do a reformat or re-image or something so anything on there is wiped out. If its got a recovery disk or recovery partition, use that and completly re-image the machine that way.
Customs can look at it all they want but since its an empty laptop, there is nothing for them to find.
When traveling out-of-country, do not:
Bring your best laptop with you. Bring a cheapie that you don't mind losing. This way you don't have any real qualms about abandoning it when these ass-wipes pull this.
Keep anything important on the machine, encrypted or otherwise. Have an internet dead-drop you can push things to before crossing borders.
Leave anything important on the machine. Use a decent file shredder to eliminate it.
Chas - The one, the only.
THANK GOD!!!
Really, guys, I run a software recovery business and turn-down people with hardware problems. I tell them to document honestly what's on their harddrive, so nothing nasty is found that I plan one day after 2 years of collecting failed drives to initiate a sequence of "paper terrorism" where all my drives get seized for analysis by Goobermint officials. Then I explain to them that their extractions must've caused some physical anomalies, to which they will need to recover all the data from the dead drives they obtusely removed on mere superstitions.
We'll ride-out this little political movement of seizing data, as profitable as possible.
I had an idea for a duplicitous encryption scheme. Not sure if it's already been done.
It's very simple: you can use one of two keys A and B. If you use key A, then you get the plain-text you wish to keep private. If key B is used, then you get some diversionary data (something innocuous, but for which encryption is plausible). The encrypted files would be larger, but the scheme could be made so that you would never know if there are two sets of data or only one.
Thus if you encounter nosey border guards, you type in key B and show them your soft-core pron collection ("I didn't want the wife to see it, Officer...")
While he didnt come to them squeaky clean he did become from their point of view "one of the good guys" working alongside NSA agents, giving talks at their conferences etc all the while in his spare time ripping off millions of credit card numbers even using some of the government servers in the attacks. The Gonzalez trial is such a public spectacle I cant help but think that might have influenced their attitude.
Of all of the reasons, the first is the only justifiable one. If I was really convinced that this was the why these searches were happening then I would happily submit to them; however I am not convinced and so I am not happy about the searches.
More fun: Encrypted data on a remote volume (through the internet via VPN), accessed with vanilla knoppix livecd, in a completely HDD-less laptop.
If asked why there is no HDD, reply that you intended to work on the beach, and needed all the battery life you could get.
It should be interesting to see them mirror an empty drive bay.
Might be old .. but if you do have files that need to stay private , can't one use steganography and use carrier files ?
Or is that so old and broken one cant even hide the fact they got files they want to keep private and simply show a good old style photo album or music collection ?
I used to travel with a huge Compaq "lunch box" with an expansion cage on the side that could hold 2 ISA cards. The space was plenty big enough to hide a gun in, and I could refuse to have it Xrayed citing fear of erasing the hard drive, so I just had to demonstrate that it booted up when going through airport security. Ah, the good ol' days...
My mother has successfully accidentally smuggled a knife onto a plane in her makeup kit, and my sister went through security with a knife attached to the _outside_ of her backpack... the security supervisor made them keep running the backpack through until they saw it, I think it only took them 3 passes.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Sending all your Data onto one of those $10 per month multi-gigabyte file hosting companies sounds like US Customs just itching to install a middle-man to Regulate you.
I briefly remember how US Customs didn't like seeing that I sent broken computer hardware back and forth to Ireland as declared to be usually $10 and sometimes $0, to be repaired and then re-imported at a restored value; eventually US Customs looked at my broken dismembered assemblies for part numbers and started cataloguing them at full retail value and taxed me as retail and then when a finished product was imported they would tax me again. It's completely absurd, no different than someone exporting their raw steel and being taxed as though they were exporting a finished Lambourghini and then importing the same to be taxed again.
US Customs, and all the related alphabet Gangs of the federal Government, are nothing more than a revenue-generating bunch of scam artists that would sell-out their own hosting countries they are parasitically attaching theirselves onto by Federation. That's why most of them are secretly privateers trying to move monopoly powers to companies they have Shares or Interest in, and then everyone working under them are always the Felons that do whatever necessary without hesitation to bring the plans in motion. Just one corporation I know of is a perfect example of complete power-grab having nothing to do with helping the people but making them more dependent and feeble-minded: Bureau of Alchol, Tobacco, Firearms, Explosives...what next to add for B.A.T.F.E.ces?
> Be sure to start this a few months before you leave. /dev/urandom is INCREDIBLY slow, second only to /dev/random
Sorry bro. Yes it's slow. Yes, on big drives /dev/urandom takes a few days. But not a few months...
A security researcher who cant even notice if his Data or Machine has been tampered with!? Surely if the screws on the bottom of his notebook look Burred then someone has indeed had it open, that then begs the question if you yourself deliberately Burr the screw heads on the bottom of your net-book, requiring someone to use a dremel or other type of machine to remove the hard-disk drive, would they then need to hold you for longer than four and a half hours? In all likely-hood they forensically mirrored his drive and gave the machine back to him expecting him to be none the wiser.
Gosh, it is amusing to see the reaction of Americans who just recently voted the teabaggers into power. So Obama didn't fix the entire country in two years partly because he was constantly opposed and any attempt to lessen the "security" would have made it even worse and increased the calls that Obama is in bed with the terrorists and a Muslim. So, put the teabaggers in power. A party so open that it doesn't even allow journalists at its rallies. The US is not slipping into SOVIET style control, it is already there. And all the US voter can worry about is that they might have to pay the medical bill for their own future self. Meanwhile the entire country is being closed down.
The truth of the Soviet empire is that it was actually quite free. If you think there were checkpoints at every corner, daily raids etc, you got to stop watching movies. The ordinary citizen was free, as long as they didn't miss behave. An American citizen is free. Free to travel, free to speak. Just as long as he doesn't travel while speaking to the wrong people. This guy is linked to the wiki-leaks, the state does not like those leaks, so it questions those linked to it. The ordinary US citizen never notices any of this. The fast majority don't even fly. All they care about is that nazi-death squads will be culling their babies if that Muslim gets his ways.
A "lot" of slashdotters rage about it all, but fail to translate it to the average person. This story got 250 replies. In a nation of 300+ million. That is not insignificant. It is non-existent. And I am fairly certain more then half of those raging against this, voted for parties that support it because they are afraid a single penny of their income might go to another human being in need.
Bread and circuses, doesn't have to involve consumables and clowns. It is anything to keep the populace occupied while the state does what it wants. The brits used cricket at one point, to stop it revolting like the rest of the world. Have them wave flags to honor the king the royalty gland will weaken the republic bone.
The US has perfected the art of propoganda. All of Hollywood churns out more propoganda then the USSR or Germans could ever have dreamed off. The "American Dream" is the motif. Yes, YOU can have TWO cars, a big screen TV, a large suburban home. Just don't question how and we will supply. All we need is your sons to fight endless foreign wars, but never to many of them so most of you will never be asked to pay the price.
And the stronger people begin to see the price, the stronger will they defend the "cause" because if they do not, then they have been living a lie. They might have to pierce the vale and see reality and that ain't attractive at all. Rather believe the tea party and its claims of wanting to bring back America to a by gone age without ever actually stating what age that is or asking people to LOOK at WHAT really happened during that age. But hey, anything is better then waking up and having to clean up the mess of decades.
If you don't believe me, compare some of the late nazi proganda movies showing a victorous german army while they were loosing on every front and compare it to Team America that shows them winning easily against those moronic towel heads while America is once again fleeing a battlefield with its tails between the legs. Oh yeah. Mission accomplished, so we can safely withdraw from Iraq because the country is so safe now.
Open your eyes, if you dare.
This hacker guy lived in a dream world. Thinking he can carry encrypted data without hassle because nobody is smart enough to crack it. HAHA. Well, he found out. Welcome to reality. Why on earth would you even carry a laptop through airport security? Just buy a new one at your destination. Safest method and send the data over the internet. But no, he believed the dream and still does. Because the reality is to harsh.
And no, this isn't just a rant about the US, other countries have the same problems. Exactly the same. Reality is democracy askes for intelligent, involved and aware voters and we humans are most happy when we aren't.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Isn't this why you Americans are allowed to have guns? Shouldn't you be overthrowing your government and stopping all this stuff that has been in the news recently?
I think it would take a little more than four years. Unless you are working from different numbers than whats readily available with a quick Google search. 9/11 US death toll about 3000 Yearly alcohol deaths about 85,000 of course that is not counting all of the deaths from drunk people violently killing another person with a gun, knife, etc... So it would be more like 28 yrs
It's a white guy with dreadlocks. Surely he has bigger problems than customs (with whom he is likely to have problems until he makes better personal grooming decisions) :P
If their purpose is to wipe potentially "harmful" information from entering the country when are they going to start using ECT or a bullet to the head to scramble another storage medium they can't index... you.
But, unless you leave the disk wherever you were or at home, they can still search the disk. Just without you being there to tell them to cram it. Remember that any mail going across the border can be searched by ICE.
No matter what you are doing, be it legal, illegal, or questionable, store nothing on your laptop at all. Just use it as a remote access device, and assume its not coming home with you ( disposable ).
Or if you are going somewhere you have zero net access, truecrypt it and dump it before you head home, just in case.
---- Booth was a patriot ----
Fine, but with over 200G of data on my hard drive, it will take an age to upload to a dropbox account, and an even longer age to download it again once in the destination country. How to solve that?
Every experiment which ends in a big bang is a good experiment.
there is something that someone said goes like this : "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."
I think it easily applies like this too :
"Those who would give up Essential Liberty to save a little Temporary property, deserve neither Liberty nor property."
they have given their country away, not to give out some percentage of their income for others. now, some others will take away their freedoms, and probably their income too, wasting it in distant wars, or censoring them.
Read radical news here
How much of that data is actually required for the business on which you are travelling?
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Moxie Marlinspike is his given name.
Surprisingly much. Depending on the trip (and I usually go for extended stays of a month or more), I need up to 7GB of software, and from 50GB of data. If I go for measurements, I can easily collect up to half a TB of data which have to be shipped across. (it goes fast with images).
My laptop HD only contains a subset of all the data (or partially processed data), so that would amount to about 200GB. Spending days before my trip to transfer that data to another set of drives and ship those drives, or to upload it onto some online repository is not on my shortlist of things to do (yet)...
Every experiment which ends in a big bang is a good experiment.
Go one step further. No hard drive and a live CD of Ubuntu. They can have a copy of your CD. It stores no passwords, email accounts, etc. It is a little slow to use, but it is secure. Drive them nuts, bring a spindle of 100 as give aways.
The truth shall set you free!
The weird thing about the bailouts is that Wall Street got their money, forgiving their mistakes, but only a few hundred billion could've paid for all of the residential mortgages in America.
I'm not a lawyer, but I play one on the Internet. Blog
Even if a 9/11 scale event happened every single year, it would take more than four years to match a single year of alcohol-related deaths in the U.S.
That's a poor way of thinking about it, kind of like saying that banks shouldn't have security guards because over 99% of robberies take place outside of banks.
Your argument is only true if you think that the threat of Customs finding documents on laptop hard drives are actually reducing the odds of terrorist attacks... I feel quite confidant that security guards in banks do actually act as at least some deterrent. It seems to me that you are trying to compare someone trying to contrast two levels of danger with a cause-and-effect relationship.
"Making a scene" is not grounds for violation of legal rights or for retribution.
We are supposed to live in a country where saying "Fuck you, sir" to the police is legally protected.
So you are saying the government should be able to restrict my movement by somehow setting up an unconstitutional buffer zone within the US. That in this magical buffer zone somehow my rights as defined in the Constitution do not exist? Interesting, what if the president decides that the buffer zone should be expanded a few thousand miles inland?
Anyone serious about data security across the border doesn't carry a storage unit on their person, as their person gives the US police state the motive, means and opportunity to search their storage at the border. Instead, they transfer data over the Internet, either before arriving to a US machine, or once inside the US they retrieve it from the foreign machine to a US machine. Of course they encrypt it, with a long passphrase in practically unbreakable symmetric key encryption. If the data is too large to conveniently transfer across the Internet, they just copy the data to USB sticks, symmetric encrypt them, and mail them across - usually several sticks, on different carriers, to ensure at least one arrives safely.
So forcing people to unlock their personal data for border cops without any evidence that could convince a judge to issue a search warrant doesn't catch anyone serious. Indeed, I've never heard any evidence that these border searches, which search millions of people over many years, have ever produced anything of value to US national security, despite spending $BILLIONS and distracting thousands of expensive security personnel from the actual mission of protecting us from actual threats. Instead it just violates the privacy rights of millions of people, American and foreign, despite the exact contrary instructions spelled out in the Constitution.
All the Americans getting crazy about "securing our borders" and the Constitution haven't said a word insisting the Constitution protect our privacy rights when we return to our country from abroad where it's supposedly "not as free as here". Therefore I leave them in the category of people who are not serious about security. Or the Constitution, or our rights.
--
make install -not war
...the only thing that logging in could have possibly done is let them go on a fishing expedition.
Imagine the new screening process if the next failed airline bomb attempt comes in the form of a rectally carried device.
I prefer rogues to imbeciles because they sometimes take a rest.
http://wewontfly.com/
Abu' dhabi? Come on man, he's probably working with AlQuida. You stick yourself in front of a bus and expect not to get hit.
Some kids are just crazy. Most of your 2600 crew run around flaunting rights of the Constitution but ignore the fact that by flaunting them in the faces of citizens they violate the citizens rights. Which prompts law enforcement to violate yours.
There was a radio show where some guest were talking about getting arrested for taking pictures at the subway. Except they were also taking pictures of other pedestrians too. Remember that church that was protesting at funerals. Not cool.
Remember to prime the drive with /dev/random before its formatted so they get to puzzle over how to extract the "encrypted" data that's hidden there.
I am becoming gerund, destroyer of verbs.
There was not overwhelming opposition to the bailout (also which one? there have been multiple spending measures). There was furious opposition from a small group. Many people didn't care, others were too concerned about their jobs and figured if this helped, great, and still others understood the reasons it was necessary.
Also if you are talking about the really large one, TARP, where the government bought a bunch of assets that banks were refusing to trade you may wish to do some research. The capital outlay for it was about $700 billion but if you think outlay is the same as final costs then you've a weak understanding of business and economics. Much doom and gloom said the cost was likely to be $400 billion in the end or so. However that has not been the case. Currently the TARP program looks like it will cost as much as $30 billion dollars, and as little as -$25 billion, meaning that it may actually turn a profit.
Now I'm not trying to discourage you from contacting your reps to let them know what you think. That is vital to a functioning democracy. I'm just trying to help you understand that those that didn't want things like TARP were actually in the minority, and that other understood the usefulness of such programs, and that the final cost would be much less than the sticker price. People got outraged by the $700 billion price tag and forgot to look at what was actually being gotten for that.
Again I think it is geeks puffing their own egos. Please remember that there's a vast, VAST gulf between law enforcement wanting to harass some guy, and a national intelligence agency being willing to spend a lot of money to try and snoop on them in an extremely covert manner. Remember that for the NSA to get involved, they have to be willing to break the law. Law says NSA is foreign only in their intelligence gathering. They can monitor communications to and from foreign locations, or systems that are on foreign soil but that's it. No monitoring in the US. I'm not saying they obey that in all cases, but that is the law meaning that if they got evidence its usefulness in a criminal trial would be nil.
So for them to even be willing to do that, there has to be a good reason. Then you are talking about some serious money spent to develop this custom monitoring BIOS that is both undetectable, unflashable, and ready to deploy on the specific device(s) this guy has. Then after all that, the totally ruin the secrecy by a big fluff up at the border.
Really? Sorry, but pushes the bounds of credibility way too far for me.
Remember that in terms of covert surveillance the US law enforcement agencies can do that very well, they just need a warrant. They could then tap his communications, place cameras in his house, monitor with tempest, whatever they get a warrant for, and do it all covertly. Also any evidence obtained in that way is 100% legal, unlike evidence the NSA got.
So why the border thing? Because they've got shit. They aren't expending any massive resources because there's no evidence of anything. The NSA isn't going to spend millions to try and monitor some guy illegally for no reason. However no warrant or anything is needed at the border so they harass him. Doesn't cost anything (the agents are already there) and so on. Also didn't accomplish anything but there you go.
Sorry but I just can't support this massive ego complex so many geeks have of thinking they are so important that the government will go to extremely difficult, nefarious, lengths just to try and monitor them, all while doing it in an extremely incompetent fashion. No, they won't. You are not that important, nor that sneaky. If there's a real problem they'll get a warrant to monitor and/or search for the evidence needed.
I am fully aware of TrueCrypt, Bit-Locker and other hard drive encryption software but just because you have the software does not mean that you're 100% safe. Feds can hold you on the grounds of contempt or some other fabricated charge. Also, multiple passwords and hidden partitions will not stop you from committing a federal felony if you do not reveal them if asked. Customs and Immigration thrive on trickery, e.g.:
- What is your password?
- The password is "test."
- Do you have any encrypted partitions on the drive? If so, what are the passwords.
- Yes, I have an encrypted partition. The password is "test1."
- Is this the only partition? Do you have any other partitions?
You lie to the last question and you may find yourself in trouble....
Basically, take a laptop with an easy to swap hard drive. Swap in a new drive, with a clean image, and no access credentials except to a temporary dropbox account for emergency mail and/or working set.
Now if you are intercepted, there is no data TO capture, and you can remove all but hardware/bios trojans by a wipe and reinstall.
As a bonus, you can just take out the drive, hand it to customs, and let them have fun with it.
International corporations are already doing something quite similar to this. You carry an empty laptop with you - and download an encrypted "project package" at your destination to install any special software, and any data you need. You encrypt and upload your product data (if you need to bring it back at all) and run a program that wipes the laptop before return.
But of course spies, criminals and terrorists would never think of doing this.
Starships were meant to fly, Hands up and touch the sky - Nicky Minaj
Dude, do you know what the TSA is going to do to us the first time a terrorist hops a plane with a butt-plug bomb?
the growth in cynicism and rebellion has not been without cause
Let this be a lesson to everyone: there is no such thing as a "white hat" hacker. If you're a "security researcher" and you're not on the payroll of the U.S. Treasury, then the United States of America suspects you're much more likely to be an enemy combatant than the average person in the general population. And even if you are on the payroll, your employment can be terminated at any time without notice or cause.
There is no such thing as a white hat hacker. It's complete bullshit.
jhw
It should be noted that the USG has steadfastly avoided violating the 3rd amendment, and should certainly be commended for its restraint in this matter.
Except when it comes to installing spyware on people's computers - the cybernetic equivalent.
The point of "quartering troops" in people's homes was not just the seizure of the homeowners' resources to support the occupying army. It was also that the troops - living with the family, eating at their table, etc. - doubled as government spies scrutinizing all aspects of their behavior and most of their belongings. They destroyed the privacy of the home.
Spyware is the same story: Active agents of the governmental power, resident in the victims' space, supported by their resources, privy to their dealings and information, and reporting it back to the powers-that-be.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
format? What a waste.
He should take advantage of the opportunity and hand the machine over to an organization with the capability to perform the most detailed examination of hardware, software and firmware to produce hard evidence (if it should exist) of EXACTLY what was done to the machine by the agents.
You beat me to it. B-)
This is a golden opportunity to do some reverse-engineering on what malware - soft and firm - the government may be installing on people they want to surveil.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Oh, I know, you are going to complain about it on the Internet.
As usual.
And nothing changes.
As usual.
empty laptop ... download an encrypted "project package" at your destination ... encrypt and upload your product data ... and [wipe] the laptop before return.
And how does this protect you from the installation of hardware keyloggers, BIOS and other firmware-based malware, activation of Intel AMT or other firmware remote-management tools, and so on? Once they get their hands on the laptop as you cross the border the hardware can't be trusted, even if wiped and reinstalled from read-only media.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I brought a just an internal sata hard drive to Canada from the US, while in Canada I wiped it clean. On the way back into the US they stopped me for a few hours.. When I got home there were large files all over the drive..
Sounds like one of three things:
1) They installed some spyware on it.
2) Their machine was virus-infested and infested your drive.
3) Your "wipe" was a remove rather than a reformat-with-surface-analysis and they ran an undelete utility. (Were those files your previous content?)
I hope you held on to that drive - and kept it separate from any machine you're continuing to trust. If it's door number 1) you've got a pristine sample of their latest spyware tools without extraneous files for distraction. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Generally, I agree with the mission of customs, inspect stuff coming into the country.
Inspect what stuff? That kilo of cocaine, hash, or opium? They should all be legal. As well as marijuana, it should even be legal to grow.
Falcon
Should there be a Law?
please explain how in the fuck you get labeled a "white hat" for showing up at black hat conferences and showing everyone how to MITM SSL?
He is not keeping what he dies secret or sells his tools for a profit. No, he lets the world know what holes there are so they can be fixed. Others have said he didn't contact vendors first, how do they knew that? Maybe the vendors were contacted and given plenty of tyme but never fixed the problem.
Falcon
Should there be a Law?
"I have no idea what's going on, why this is happening to me," Marlinspike said in an interview for CNET.
Really? You can't? No idea at all? Someone who was there please tell me that he didn't say this with a straight face. I admire and applaud the man's work, but there is no way in this day and age (and an administration that believes it is above the law) that he can do what he does and not expect there to be consequences.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
This is a great chance to compare the hardware and firmware of the devices to the factory loads and see what tech the injected, if any. If they added or modified the firmware / software of the devices, the added code can be analyzed. Lots to learn from it. Then a comparison to that and submitted code to open source projects might get a clue to either who wrote the injected code, or code to look more carefully at in the open source projects. I do forensic software analysis and while this is a big task its not insurmountable. A lot less than SETI at home deals with.
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
Title should be Why Does America Hate Its People
I've been away from the USA for almost over 10 years now, but I was born in Brooklyn and come from Russian and Irish immigrant stock and I am now afraid to go back to visit my Mom. If I lost my laptop or phone, I would be screwed, as I could not afford to just go out and buy another in case the TSA or Customs took mine away. I have stamps in my passport from Thailand, Pakistan, China, and many other countries that I don't think are held in high regard by US government officials. I don't dress much like an American anymore, and I speak with a slight accent. I am also over 40 but my luggage looks like it is owned by a 20-year old backpacker. I have that mustache. I know I won't make it through the screenings... what to do?
So you are saying the government should...
I'm not saying that they should. I'm just telling you that in this magical buffer zone within the US, you might as well forget whatever right international law doesn't grant you. My opinion on the matter doesn't amount to squat, so should the government limit and whatever else the crap you said, my reply is, "No they shouldn't" Do they? Uh, yeah. Do you have any recourse to change this? Not a single ghost of a chance in the remotest of dreams. My suggestion, get used to it (or bomb the border station or whatever the else you think will make you happy.)
That in this magical buffer zone...
Yes, that's exactly what I'm saying. They don't exist. Sorry.
Interesting, what if the president decides...
Well s/he legally can't. That power is left to the judicial branch of the US government. If the president did do something like that, then as a citizen I'd be looking for someone to be using that whole check and balance thing on the president. So not to say s/he couldn't, just couldn't do so legally.
I was just poking around and found your series of t-shirts designs. Not that I am a rabid atheist ;) (as a matter of fact, I was habitually putting Taoist on US Gov. forms), but this one (http://www.zazzle.com/party_time_tshirt-235764204376717545) struck me as being a bit too much familiar -- after all, I am currently very close to WA state, and this is where we *do* have establishments just like that! :)
Paul B.
Fascist scumbags. What else can one say?
It seems that the risk associated with travel now combine with other risks and it pays to invest in an inexpensive laptop or second disk for travel.
Companies and individuals should look clearly at establishing private clouds and a policy of clean laptops out and a cleaning process to clean laptops as they come back in.
It is too easy for a bad guy to request you to login then he "tests" the laptop by surfing to a site that triggers malware or a bogus or illegal download. HTML5, java and javascript can automate the whole process, just click yes. There is no reason or need to "root" the system if the intent is to download an illegal document or image to your account.
In this case five hours is very generous in terms of this type of hacking and dirty tricks. Since a PXE or other reload process takes 20 min it makes sense to take a very clean laptop out and then to make it very clean when you bring it home.
As a white hat hacker he might well have deployed intrusion detection tricks that might detect and audit the activities on the machine itself (but not from an image of the machine running in a lab). It would be interesting if he had.
It would have to be further out than that. The US extended their territorial waters to 200 miles (or some ungodly large number).