Whitehat Hacker Moxie Marlinspike's Laptop, Cellphones Seized

Orome1 writes "The well-known whitehat hacker and security researcher who goes by the handle Moxie Marlinspike has recently experienced firsthand the electronic device search that travelers are sometimes submitted to by border agents when entering the country. He was returning from the Dominican Republic by plane, and when he landed at JFK airport, he was greeted by two US Customs officials and taken to a detention room where they kept him for almost five hours, took his laptop and two cell phones and asked for the passwords needed to access the encrypted material on them."

Re:First Post

[Ethanol-fueled]

They are all under the umbrella of the Department of Homeland Security whose core mission is to annoy, harass, and humiliate law-abiding citizens while letting the crooks slip through the cracks.

In short, federal policing powers given to the creme de la crap.

4th

[drumcat]

I'm still not sure how this doesn't violate the Fourth Amendment. Customs has the right to view your belongings for *safety* reasons, and to ensure that the items you are carrying are not contraband. Does code constitute contraband now? Can you be arrested for having code on your machine? I'm not talking about copyrighted, installed programs.... if something is encrypted, isn't that the same as having a secret in your mind? You know they dumped his drive, but the main question is whether they're allowed to. Isn't that stealing from the passenger then?

Re:4th

[Barrinmw]

What you want to do is to have something you copyrighted on your laptop, so if they copy your hard drive you can sue them for copyright infringement.

Re:4th

[cheekyjohnson]

"I'm still not sure how this doesn't violate the Fourth Amendment."

You think the government or its workers still abide by that silly old piece of paper known as the constitution when they can get away with not abiding by it? That's funny.

"isn't that the same as having a secret in your mind?"

An unreadable but visible secret.

"Isn't that stealing from the passenger then?"

It would only be stealing if he was deprived of something.

Re:4th

[LearnToSpell]

Like email?

Re:4th

[cheekyjohnson]

" essentially without limit, have been deemed reasonable."

Deemed reasonable by the constitution or just some judges who like to 'interpret' the constitution as they please?

Re:4th

[theMAGE]

Why would those giant platforms not become US territory and be subject to the same laws as the mainland?

Re:4th

[ScrewMaster]

Do you really expect the founding fathers to have anticipated computing devices that can encrypt data?

And furthermore, there's a reason that the Founders didn't try to enumerate specific communications technologies: they figured (apparently incorrectly, given your statements) that we would be able to logically extend our legal system to accommodate new technology, without requiring the citizenry to give up hard-won civil liberties as enshrined in the Constitution. It looks like some people are just unable to grasp that "personal papers and effects" might, I mean, just might, include a personal computer, and that that would indeed be in the spirit of the Constitution.

Do you really, in your heart of hearts, believe that the Founding Fathers, if they were alive today, would consider a hard drive full of a citizen's personal and confidential files to be in any way less deserving of the same legal protections afforded someone's wallet or their file cabinet? Do you really? Or are you one of these people who believes that the government should have the right to snoop into anyone's private business, for any reason, because they might have something to hide?

Spare me. This artificial dichotomy that is being presented to us by the government, that the "Internet" and "computing" are so intrinsically different from printed materials that the Constitution some how magically doesn't apply is disingenuous at best, treasonous at worst.

Re:4th

[evanism]

At least the RIAA and MPAA are not grabbing my penis, fondling my beasts or rubbing their hands all over children yet.

This airport theatre is OBSCENE, ethically and morally wrong on EVERY level.

Those who are able to justify it makes me think they are unhinged.

Re:4th

[raddan]

*ugh* giving up mod points here, because I am sick to death of hearing this "activist judge" crap.

Go ahead: please tell us how you would enforce the 4th Amendment without "interpreting" the meaning of "unreasonable".

Re:4th

[QuantumG]

There's a 4th amendment exception around airports and borders.. they can search you for *no reason*. If you don't think that is fair, you're not the only one.

Work in law enforcement, national security, or for a politician? Want someone you want searched but can't get the probable cause for a warrant? No worries, wait for them to fly, search 'em at the border and find something suspicious.. now you can search the rest of their property.

Re:4th

[cheekyjohnson]

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

I'm sorry, but I see no text there that says "this applies to all effects except those that the government decides it doesn't apply to."

Interpreting something doesn't involve changing its original meaning completely (especially if it was clear in the first place). It involves deciding to the best of your ability what it was originally supposed to mean as closely as possible. It's not like the fourth amendment was indecipherable. It clearly explained what it was supposed to mean, and a laptop can obviously be categorized under "effects."

Re:4th

Suing the government for violating an artificial right granted to you by the very same government? Lol.

Re:4th

[sco08y]

Oh, please. The constitution is a set of principles, which laws are then written to implement. I'm no fan of the federal government (I think they have whole agencies that are not allowed under the federal constitution), but your expectation that every last detail - indeed, in anticipation of every last future development - be in the constituion is absurd. Do you really expect the founding fathers to have anticipated computing devices that can encrypt data? And to put that sort of thing in the constitution? Get real.

Encryption has been around since the early days of war and the founders certainly knew about it and (IMHO) explicitly guaranteed it as a right protected by the 2nd amendment. Think about it: for most of human history, encryption was *only* used as a strategic / tactical device. It's always been a means by which you organized the deployment of soldiers. If 2A is intended to enabled a "well regulated militia", it must cover encryption.

Re:4th

[TheLink]

Heh it'll be funny if more US citizens start finding it less hassle to sneak into their own country like illegal immigrants.

Re:4th

[evanism]

Perhaps you wern't prepared to grab another mans dude, and being in the forces, I can understand this, but I just want to fly to another city.

Probability of another "shoe" bomber or "underpsants" guy? Zero. 50 million enfordlements? priceless.

Friend, how long do you think it will be before they are doing this for buses and trains? Tracking your car and its movements?

The USA *was* a great country. You have but lost your way and maybe this sharp slap will remind its PEOPLE as to WHY the constitution was written.

Re:4th

[NeutronCowboy]

Here's a fun fact: the border extends to about 100 miles inland of the actual border to a country or the ocean. This means the Customs can search over 50% of the US population with near impunity.

Re:4th

[hey!]

Do you really, in your heart of hearts, believe that the Founding Fathers, if they were alive today, would consider a hard drive full of a citizen's personal and confidential files to be in any way less deserving of the same legal protections afforded someone's wallet or their file cabinet?

Although I agree with your conclusion, I am troubled by this style of reasoning because (a) anybody can imagine the founding fathers have any kind of reaction they'd want the founders to have to conditions unimaginable in the founder's lifetime; (b) it assumes the founders were of one mind on what "liberty" means, which they manifestly were not; and (c) it deifies the founders, as if they had some kind of privileged access to the truth which we don't have.

The founders did an amazingly good job, but they screwed up in many instances, sometimes in ways that they had enough information to know better but were not morally up to facing (slavery), in other cases in ways they could not have avoided. Take the Bill of Rights; it's very parochial with respect to historical era, talking about people being secure in their papers and effects. *We* know that what is important is the *information* in those papers, and if you don't think that didn't cause confusion, look at the history of the SCOTUS stance on unreasonable searches and seizures. On the other hand, the ninth and tenth amendments are something rare, a political admission of fallibility and limited foresight. It is on that basis that the Bill of Rights has been interpreted to cover things like contraception which surely was not part of the consideration when the founders drafted and the states ratified the Bill. Who knows what answer we would get if we went back in time and put the question of contraception to the founders? Even if we could, why should we assume that they would automatically come up with a better answer than us?

I think Lincoln had it right when in the Gettysburg Address he described the United States as a kind of experiment in what liberty means and its practical application to human life. The founders managed to get hold of a kernel of truth... or perhaps find the trail head of a long path into the future. They did not even attempt to make a clear, unambiguous statement of that truth in legal or philosophical terms that would answer all questions of government for all time. They never even attempted to actually specifically describe many of the rights they were attempting to secure but only (in a parochial but typically American way) restrain certain known threats to those rights.

Still, they did a pretty good job. They simply didn't *finish it*.

Re:4th

[slick7]

grabbing my penis, fondling my beasts

Wow! You must be an interesting shape! :-)

One Word: Shemale.

Re:First Post

[Barrinmw]

Generally, I agree with the mission of customs, inspect stuff coming into the country. But it does not take 5 hours to do so for some guys laptops and a person should not be required to hand over passwords to their own computers.

And he didn't realize this would happen to him?

[mikein08]

If the govt. is interested in you, it's going to be interested in your computers and cell phones. Makes sense, right? So if you don't want the govt. diddling your electronics, don't carry them on airplanes or across an international border. Isn't that pretty simple? The alternative is to have multiple sets of cell phones and computers: one set with all the good stuff on it, one set with nothing important on it that goes with you on planes and across borders so the government agents will have something to amuse themselves with when they detain you.

Re:format time

[el_tedward]

I'd smash it with a hammer.

Great, now it's trash.

[VortexCortex]

I would never trust my hardware again once I had handed it over to some customs (or other government agent) goons, and it left my sight. I would rather just remove the hard drive and hand it alone over to them, at least then I wouldn't have to trash the whole thing.

There's really no way to be 100% sure you successfully "re-flashed" the BIOS, or cleaned all hardware as some posters have said they would do. Not to mention: There could be additional hardware installed, 5 hours is a long time...

You could tear your machine apart and inspect it all you want, but it's well known once the enemy has unfettered physical access to a device, all bets are off.

Re:Great, now it's trash.

[the_humeister]

Paranoid much? Shit, you could say that about new hardware as well. How do you know the manufacturers didn't put some virus/trojan, inadvertently or maliciously, on the devices you bought (especially now that most of those devices are made in China)?

Re:Great, now it's trash.

[metrometro]

Logging things done by a random buyer isn't the same as logging things by the guy we'd really like to know more about.

Re:Great, now it's trash.

[Dan541]

With the price of hardware these days it's hardly worth even getting it back. Once it's compromised; it's compromised.

I agree, once it's been in the hands of an adversary you just can't trust it any more. I would purchase a new laptop over the counter reload the encryption and restore from secure backup.

I had to do this recently after having a system stolen. Fortunately everything was switched off and demounted at the time but it has made me think about the possibility of running remote wipe software so that if something is lost while a session is in progress I have one extra counter measure available. Would also be good in the unlikely event that encryption was somehow broken, have the system phone home to a command file as soon as it connects to the internet. Obviously not fool proof but each additional security layer is a plus.

Re:Great, now it's trash.

[Anne_Nonymous]

>> embarrassment of missing meetings due to being detained and missing flights

As disgusting as this whole episode is, the detention probably works for him, rather than against him. I didn't know this guy's name until a few days ago. Additionally, how many people do you know who are such security studballs that the whole US Government is out to intercept them at every turn?

Re:Quick question

[PatPending]

It's about questioning authority. It's about unreasonableness. It's about personal liberty & heavy-handed government. It's about "give an inch and they'll take a yard." (There's more but I hope that's sufficient.)

You can't wipe BIOS

It's in the on-board flash ROM, so you can't easily wipe or check its integrity. Not only BIOS can be reprogrammed, but hardwares like GPUs, peripheral controllers have its own ROM with complete RTOS in some cases. I have a RAID controller I've got from a junkyard. I noticed it has intel logo on the big chip, googled it and turned out it was a ARM-based single board computer which seemed to be capable of running full GNU/Linux.

What's so important to warrant harrassing millions

[mykos]

I can't think of a single thing that could be carried on any laptop that warrants the harrassment of millions a year.

Even if a 9/11 scale event happened every single year, it would take more than four years to match a single year of alcohol-related deaths in the U.S.

Re:First Post

[Dan541]

Data has nothing to do with customs. They are overstepping their jurisdiction just to bully people.

Re:First Post

[e4g4]

Regardless of how long it takes, there is no reason to search laptops at the border. Anyone truly interested in slyly transmitting data across the US border would never be foolish enough to accompany said data on the trip. It is _trivial_ to transmit data undetected into the US (nice to meet you, internet. how long have you been there?); what justification is there for searching laptops in the first place?

Re:First Post

[Dan541]

Other than their recently uncovered fetish for porn the intention of customs is good.

The idea of customs looking for data in the 21st century is laughable, have they not heard of the internet? That's where I import my data from.

If you are that paranoid

[Sycraft-fu]

Then get rid of your computer. Seriously, because something like that you aren't talking half-assed law enforcement agency (which is what CBP is) you are talking national intelligence agency that really, really, wants your shit. Well you think that the only time they could pull something like that is at an obvious stop? Not hardly. They could do it before you ever get your hardware. So you order a new motherboard, they intercept the motherboard in transit, replace it with one they've modified, and on it goes to you.

At some point, you have to realize that it is just not worth it, you aren't as valuable as you think you are, and simply trust that your computer is probably fine. If you jump at shadows as badly as your post suggests, then you can never trust any computer ever that you didn't personally build every part on yourself.

Re:First Post

[Nursie]

Without people looking for vulnerabilities in SSL and publishing the results there would be other people looking for vulnerabilities in SSL and not publishing, just using them to steal.

Security crackers that publish their results are essential to making sure we are really secure, not that we just think we are.

Re:First Post

[corsec67]

So, Customs tried to erase all of your data on that drive? (If the drive was in a file system that they didn't recognize, like EXT3 or such, then writing files would destroy data)

Actually, why would customs mount the drive in a way that it could be modified at all? It seems like if they can modify it, anything they found would be tainted.

Re:First Post

[camperdave]

Furthermore, he was being searched by customs after returning from a know drug smuggling point.

Yes, because certain criminals use the Dominican Republic to trade drugs, it's completely reasonable to assume that this person was involved in such activities. After all, nobody would go there to experience the culture, the cuisine, or the wide, sandy, sun-drenched beaches.

However, let's not forget that this guy is an American. There's more drug trading and murder going on in the US than in the Dominican. Obviously that makes him a gun-toting, murdering, drug lord, like all other Americans. I've seen Breaking Bad. The world would no doubt be a safer place if we didn't let Americans get out of the US.

Re:First Post

[SvnLyrBrto]

> legitimate and competent

Really? So harassing someone and stealing their kit in the airport is "legitimate and competent"?

If someone *really* wanted to smuggle "illegal" data of some kind into the country, they wouldn't be daft enough to travel with it on their laptop. They'd encrypt it and email it to themselves; or upload it to a cloud storage service, or have a file server of their own to FTP it into; or dump it into some random usenet group; or any of probably a dozen other ways to move data without physically carrying anything incriminating with them. The fact that this is lost on these thugs kind of blows "competent" out of the water.

That just leaves "legitimate". And I guess that depend on whether or not you believe in the fourth amendment to the constitution or not.

Re:The constitution is pretty vague.

[R2D5]

Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. — Benjamin Franklin

Re:First Post

[Suzuran]

Oh, this is easy! We'll just beat you with this rubber hose until you give up the key.
The beatings shall continue until the key is revealed!

Re:Ends justifying means?

...didn't get them, gave him back his hardware and let him go.
Really, why try to sensationalize a story by omitting its outcome?

Whatever happened to him in the mean time is OK so long as it reaches a satisfactory conclusion?

That's not how I understand the parent poster -- s/he doesn't say it's okay, s/he objects to the sensationalism.
Was the hacker targeted because he was a hacker? If not, why add that?
It's like writing "Melissa's (5) dog hunted down and shot by tax-funded agents after accidental escape!!!!eleven!! Girl in tears!!" instead of "Animal control forced to shoot escaped, rabid dog".

The PP didn't say it is okay that this rule in place.
I will state that the way the story is presented leads readers to think that this hacker was a specific target, and by omitting the outcome the text fosters some righteous indignation which remains due to the lack of a conclusion.
In other words (again mine): presenting it this way is "FOXing" the story up. And /. need not steep to such lows.

Second Amendment?

Isn't this why you Americans are allowed to have guns? Shouldn't you be overthrowing your government and stopping all this stuff that has been in the news recently?

Re:First Post

Regardless of how long it takes, there is no reason to search laptops at the border. Anyone truly interested in slyly transmitting data across the US border would never be foolish enough to accompany said data on the trip.

You would be surprised. Most criminals aren't that bright. Fingerprints have been commonly used for more than a century, and yet many criminals aren't smart enough to wear gloves.

Re:First Post

[camperdave]

"After all, nobody would go there to experience the culture, the cuisine, or the wide, sandy, sun-drenched beaches."

Doing all that doesn't exclude playing drug mule.

You don't need a password to extract drugs from a hard drive.

3rd

[Ungrounded+Lightning]

It should be noted that the USG has steadfastly avoided violating the 3rd amendment, and should certainly be commended for its restraint in this matter.

Except when it comes to installing spyware on people's computers - the cybernetic equivalent.

The point of "quartering troops" in people's homes was not just the seizure of the homeowners' resources to support the occupying army. It was also that the troops - living with the family, eating at their table, etc. - doubled as government spies scrutinizing all aspects of their behavior and most of their belongings. They destroyed the privacy of the home.

Spyware is the same story: Active agents of the governmental power, resident in the victims' space, supported by their resources, privy to their dealings and information, and reporting it back to the powers-that-be.

Re:Customs inspections

[sumdumass]

But it's not and until you convince the government to change the laws, those drugs and other things are checked for by customs.

Re:First Post

[Opportunist]

I do not store my documents on my laptop. I store them on my server at home. Log into it? From remote? Can't do that, I'm sorry. I don't need my documents on this trip, to why should I have to access them?

Your turn.