Slashdot Mirror
Whitehat Hacker Moxie Marlinspike's Laptop, Cellphones Seized
Orome1 writes "The well-known whitehat hacker and security researcher who goes by the handle Moxie Marlinspike has recently experienced firsthand the electronic device search that travelers are sometimes submitted to by border agents when entering the country. He was returning from the Dominican Republic by plane, and when he landed at JFK airport, he was greeted by two US Customs officials and taken to a detention room where they kept him for almost five hours, took his laptop and two cell phones and asked for the passwords needed to access the encrypted material on them."
They are all under the umbrella of the Department of Homeland Security whose core mission is to annoy, harass, and humiliate law-abiding citizens while letting the crooks slip through the cracks.
In short, federal policing powers given to the creme de la crap.
I'm still not sure how this doesn't violate the Fourth Amendment. Customs has the right to view your belongings for *safety* reasons, and to ensure that the items you are carrying are not contraband. Does code constitute contraband now? Can you be arrested for having code on your machine? I'm not talking about copyrighted, installed programs.... if something is encrypted, isn't that the same as having a secret in your mind? You know they dumped his drive, but the main question is whether they're allowed to. Isn't that stealing from the passenger then?
Link to longer article at CNET
Generally, I agree with the mission of customs, inspect stuff coming into the country. But it does not take 5 hours to do so for some guys laptops and a person should not be required to hand over passwords to their own computers.
Logic dictates that you'd send an agent at least as smart as the suspect to do the HD search. Granted, this is the government...
took his laptop and two cell phones and asked for the passwords needed to access the encrypted material on them.
Really, why try to sensationalize a story by omitting its outcome?
The fact that something as diriculous as "incoming data storage devices searches" even
exist should be enough of a story by itself, and that has been known for quite a while.
The constitution only protects against "unreasonable" search an seizures, with unreasonable being up to the interpretation of the courts. Border searches have long had a broader definition of reasonable (since the very first session of congress), and are not limited to safety and contraband. FindLaw has additional commentary on the issue.
Once again, Customs is a legitimate and competent part of the government. The TSA is neither. Yes, they both fall under DHS. However, the Army Corp of Engineers and the NSA both fall under the DOD but are very different. Further, the TSA and Customs are regulated by different parts of the CFR. 19 CFR for Customs and 49 CFR for TSA. As in, you're wrong.
"Customs is a legitimate and competent part of the government."
A part of the government that is both legitimate and competent? I never knew such a thing existed!
Filthy, filthy copyrapists!
I would never trust my hardware again once I had handed it over to some customs (or other government agent) goons, and it left my sight. I would rather just remove the hard drive and hand it alone over to them, at least then I wouldn't have to trash the whole thing.
There's really no way to be 100% sure you successfully "re-flashed" the BIOS, or cleaned all hardware as some posters have said they would do. Not to mention: There could be additional hardware installed, 5 hours is a long time...
You could tear your machine apart and inspect it all you want, but it's well known once the enemy has unfettered physical access to a device, all bets are off.
It's about questioning authority. It's about unreasonableness. It's about personal liberty & heavy-handed government. It's about "give an inch and they'll take a yard." (There's more but I hope that's sufficient.)
What one fool can do, another can. (Ancient Simian Proverb)
That's not fair. From his Wikipedia page he seems to be obsessed with finding ways to man in the middle SSL connections so he can present them at Black Hat conferences and allow people to commercialise the for as long as possible before they are fixed.
Where would we be as a society if that it were possible for people to make secure SSL connections to their banks for example? That would be a nightmarish world where it would be impossible to redistribute income from the first world bourgeoisie to more worthy informal entrepreneurs in impoverished countries like China, Eastern Europe or Nigeria.
I think he's doing socially very useful work. I'd recommend a prize for him, except he's probably not short of cash.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
He could put the contents of the hard drive on a webserver, wipe the hard drive clean, then download the data once in the country.
I travel to the US a lot for business. What I do is Fedex my "real" hdd to the hotel I'm planning on staying at, usually 1 day before travel to the US is enough for it to be there waiting for me when I arrive at check-in (obviously its an encrypted disk).
I travel with my laptop, with a small capacity hdd that has a clean install, some common oss apps installed, some bogus documents downloaded from scribed, some fake e-mail accounts with credentials saved in firefox and some typical surfing history. The aim is to make them feel like they've found the stuff they're looking for and that there isn't anything worth pursuing - rather than trying to be a smart-ass that makes them even more intent on performing those unwanted rectal examinations. I've had my laptop taken twice in the last 3 years, and on both occasions after providing access details, I was given the laptop back within 5-10mins, other people i know that tried to screw over the TSA/customs by not providing all the access details they wanted, ended up never seeing their machines again.
Though now with the new scanners at play in the airports, I'm trying to reduce my travel to the US to a minimum. If I have to travel, I charge a premium for the various inconveniences endured, most clients are sympathetic and pay without much fuss.
I can't think of a single thing that could be carried on any laptop that warrants the harrassment of millions a year.
Even if a 9/11 scale event happened every single year, it would take more than four years to match a single year of alcohol-related deaths in the U.S.
I brought a just an internal sata hard drive to Canada from the US, while in Canada I wiped it clean. On the way back into the US they stopped me for a few hours.. They seemed to not get the concept of bring just a hard drive, I think if it would have been an external drive they wouldn't have gave me so much grief. When I got home there were large files all over the drive.. I can only assume they did that to overwrite anything hidden on the drive, which there wasn't. I found it to be a long waste of time and the people to be a bit clueless.....
s/©//g
Data has nothing to do with customs. They are overstepping their jurisdiction just to bully people.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Regardless of how long it takes, there is no reason to search laptops at the border. Anyone truly interested in slyly transmitting data across the US border would never be foolish enough to accompany said data on the trip. It is _trivial_ to transmit data undetected into the US (nice to meet you, internet. how long have you been there?); what justification is there for searching laptops in the first place?
The secret to creativity is knowing how to hide your sources. - Albert Einstein
Other than their recently uncovered fetish for porn the intention of customs is good.
The idea of customs looking for data in the 21st century is laughable, have they not heard of the internet? That's where I import my data from.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Next time, take a broken hard drive with you. That will give them a challenge. :-)
They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
You know, you should have brought the HD to the authorities and explain that some terrorist mole at Customs had placed unknown files, probably containing steganographed information, on your drive for later "retrieval" by burglary and that you were rightfully afraid for your life because the terrorists obviously wouldn't be willing to leave any witnesses behind. That would have been a giant hoot.
Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
Without people looking for vulnerabilities in SSL and publishing the results there would be other people looking for vulnerabilities in SSL and not publishing, just using them to steal.
Security crackers that publish their results are essential to making sure we are really secure, not that we just think we are.
So, Customs tried to erase all of your data on that drive? (If the drive was in a file system that they didn't recognize, like EXT3 or such, then writing files would destroy data)
Actually, why would customs mount the drive in a way that it could be modified at all? It seems like if they can modify it, anything they found would be tainted.
If I have nothing to hide, don't search me
Furthermore, he was being searched by customs after returning from a know drug smuggling point.
Yes, because certain criminals use the Dominican Republic to trade drugs, it's completely reasonable to assume that this person was involved in such activities. After all, nobody would go there to experience the culture, the cuisine, or the wide, sandy, sun-drenched beaches.
However, let's not forget that this guy is an American. There's more drug trading and murder going on in the US than in the Dominican. Obviously that makes him a gun-toting, murdering, drug lord, like all other Americans. I've seen Breaking Bad. The world would no doubt be a safer place if we didn't let Americans get out of the US.
When our name is on the back of your car, we're behind you all the way!
So...
Whatever happened to him in the mean time is OK so long as it reaches a satisfactory conclusion?
Most^H^H^H^H Some Slashdotters are smart enough to understand that the ends never justify the means, that this person was picked on, detained for 5 hours and subjected to an invasive search was _not_ all well and good because he got his laptop back.
In the end, I'd put good money on this person being picked up because he was coming in from the Dom Rep rather then because he was Moxie Marlinspike. The TSA likes to pick on single males coming in from potential sex tourism destinations, perhaps because it's the low hanging fruit. Bust a few guys coming back from the Philippines with some home made porn (a pic of a naked Pinay is not hard to get) and make it look like you're doing a great job, after all who would defend these dirty sex pests (they are probably all pedo's anyway). Incompetence rather then malice, but the end result is the same.
Calling someone a "hater" only means you can not rationally rebut their argument.
***They are all under the umbrella of the Department of Homeland Security whose core mission is to annoy, harass, and humiliate law-abiding citizens while letting the crooks slip through the cracks. ***
Very dubious. The DHS clownshow shows little sign of being competent enough to identify crooks well enough to let them through. Sleep well tonight, terrorists have exactly the same chance of being harassed by the DHS as anyone else.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
This gives me the idea of building a slightly custom drive. It's not hard to do, really; remove the platters and there's plenty of space inside, then just put a cable to the outside controller board, concealed under it. The first idea that comes to mind is a drive that happily accepts all write and erase commands, yet presents a read-only filesystem.. say, with a troll image.. or better yet a *different* filesystem each time it's powered. Have fun imaging that. If you want writable storage, it could do a straight log of what the intrusive party did to the drive. The technology is near identical to current hybrid hard drives.
Uh, I don't know about you, but I would prefer to keep possession of my OTHER computer equipment. If you haven't realized already the authorities in most countries can seize "everything" given a good enough excuse.
When they figure out the truth, they could pretend to take you way more seriously than you ever want. And you would have given them the paperwork to cover their asses for it.
Perhaps you can do what you propose, then the rest of us can discuss the resulting story on Slashdot.
Oh, this is easy! We'll just beat you with this rubber hose until you give up the key.
The beatings shall continue until the key is revealed!
As for the second, please explain how in the fuck you get labeled a "white hat" for showing up at black hat conferences and showing everyone how to MITM SSL?
Black hats don't hold conferences (in meatspace). There's just a conference called Black Hat which, by the nature of information from the conference being made public, is actually a white hat conference. It actually started out as something closer to a true black hat conference but of course that didn't last long.
Black hats have their conferences in various chat rooms and forums. When they meet, you don't know about it.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Say, you're not one of those people that visits inmates in prison and acts suspicious on the way in just for the free anal probing are you?
Actually, you might try rigging up a USB adapter for those old RLL disks and then just using an RLL drive mailing the adapter to you at home. Let's see how long it takes them to figure out how to access that data. Or better yet, you'd be limited to a minute amount of data, but those old 8" floppy disks have to be hard to read these days.
So why are you complaining? ;)
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Again I think it is geeks puffing their own egos. Please remember that there's a vast, VAST gulf between law enforcement wanting to harass some guy, and a national intelligence agency being willing to spend a lot of money to try and snoop on them in an extremely covert manner. Remember that for the NSA to get involved, they have to be willing to break the law. Law says NSA is foreign only in their intelligence gathering. They can monitor communications to and from foreign locations, or systems that are on foreign soil but that's it. No monitoring in the US. I'm not saying they obey that in all cases, but that is the law meaning that if they got evidence its usefulness in a criminal trial would be nil.
So for them to even be willing to do that, there has to be a good reason. Then you are talking about some serious money spent to develop this custom monitoring BIOS that is both undetectable, unflashable, and ready to deploy on the specific device(s) this guy has. Then after all that, the totally ruin the secrecy by a big fluff up at the border.
Really? Sorry, but pushes the bounds of credibility way too far for me.
Remember that in terms of covert surveillance the US law enforcement agencies can do that very well, they just need a warrant. They could then tap his communications, place cameras in his house, monitor with tempest, whatever they get a warrant for, and do it all covertly. Also any evidence obtained in that way is 100% legal, unlike evidence the NSA got.
So why the border thing? Because they've got shit. They aren't expending any massive resources because there's no evidence of anything. The NSA isn't going to spend millions to try and monitor some guy illegally for no reason. However no warrant or anything is needed at the border so they harass him. Doesn't cost anything (the agents are already there) and so on. Also didn't accomplish anything but there you go.
Sorry but I just can't support this massive ego complex so many geeks have of thinking they are so important that the government will go to extremely difficult, nefarious, lengths just to try and monitor them, all while doing it in an extremely incompetent fashion. No, they won't. You are not that important, nor that sneaky. If there's a real problem they'll get a warrant to monitor and/or search for the evidence needed.
It is _trivial_ to transmit data undetected into the US (nice to meet you, internet. how long have you been there?); what justification is there for searching laptops in the first place?
But you have to transmit the data to something. One of the things they look for when searching a laptop are clues as to which server systems you've been logging into. If they see by your browser history, for example, that you regularly visit hotmail.com, you'll probably be asked to log into your e-mail account so they can look for things there. If they don't find too many documents on your computer, they'll ask where you store them and have you log in there, as well. So, while the laptop might not contain the illegal data, it might contain clues as to where the Customs officers may find them.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?