Whitehat Hacker Moxie Marlinspike's Laptop, Cellphones Seized

Orome1 writes "The well-known whitehat hacker and security researcher who goes by the handle Moxie Marlinspike has recently experienced firsthand the electronic device search that travelers are sometimes submitted to by border agents when entering the country. He was returning from the Dominican Republic by plane, and when he landed at JFK airport, he was greeted by two US Customs officials and taken to a detention room where they kept him for almost five hours, took his laptop and two cell phones and asked for the passwords needed to access the encrypted material on them."

4th

[drumcat]

I'm still not sure how this doesn't violate the Fourth Amendment. Customs has the right to view your belongings for *safety* reasons, and to ensure that the items you are carrying are not contraband. Does code constitute contraband now? Can you be arrested for having code on your machine? I'm not talking about copyrighted, installed programs.... if something is encrypted, isn't that the same as having a secret in your mind? You know they dumped his drive, but the main question is whether they're allowed to. Isn't that stealing from the passenger then?

Re:4th

[Barrinmw]

What you want to do is to have something you copyrighted on your laptop, so if they copy your hard drive you can sue them for copyright infringement.

Re:4th

[fyngyrz]

Do you really expect the founding fathers to have anticipated computing devices that can encrypt data? And to put that sort of thing in the constitution?

No, the authors of the constitution didn't anticipate everything. But they anticipated quite a bit, and that includes unanticipated technology and social issues. In order to give the government the ability to deal with change, the constitution contains article V, which is the portion that outlines the procedure for amendment. Excepting amendment, they expected the constitution to be followed. Not "interpreted."

Our government, however, has fiddled its way into a situation where it does whatever the heck it wants. Make no law? Let's make some law!!! No state religion? Let's print Christian stuff on the money, carve it into buildings, sing it in the anthem, and best of all, use it in the courts for swearing... that'll teach 'em. Shall not infringe? Yay, let's infringe! Regulate among the states? Let's regulate IN the states! No ex post facto laws? Oh *heck* no, we GOTTA make those! Enumerated powers? Nah, let's just do anything we want, the heck with that! Warrants to search? Um... only in the interior of the country. And even then, maybe not. Probable cause? That's the same as "We like to grope", isn't it? Sure! No double jeopardy? Oh, that's easy, we'll just toss them back and forth between the criminal and civil court systems, they'll never figure that one out! Trial by jury? Same as "Lock in closet indefinitely, no lawyer, no phone call, innit?" Cruel and unusual punishment... yeah, what was that awesome torture we hung the Axis defendants for using at the war crimes trials? Oh yeah, water-boarding... let's do THAT! (and let's not forget we have rendition to play with, either.) Excessive bail shall not be imposed... heck with that, we'll ask whatever we want! Powers reserved to the states? Bwahahahaha. Oh, and the article III kicker... judicial power in constitutional cases: nah... let's just Make Stuff Up and skip that whole article V inconvenience.*

(*) It should be noted that the USG has steadfastly avoided violating the 3rd amendment, and should certainly be commended for its restraint in this matter.

Here in the US (and England) we rely more on common law - yes, judges.

Here in the US, we have government that has usurped powers far outside the explicitly authorized bounds. And that most certainly includes the judiciary.

In the end, it turns out that what the authors of the constitution wrote matters very little in our current legal system, because that document is treated by the government as barely relevant at this point in time, and even at that, only when it is convenient. Otherwise they ignore it, make things up, or simply plow ahead regardless.

Re:4th

[fyngyrz]

The courts give them some leeway as a nod to the fact that would be ridiculous for people trying to come in.

The courts, in point of fact, allow warrentless searches anywhere within 100 miles of the border, regardless of if you are, were, or ever planned to traverse the border. 190 million US citizens live within this region. Also, it is worth noting that the "4th amendment border exclusion" principle appears nowhere in the constitution. It's invented, unauthorized law. If they wanted it, the legitimate path to it was through article V. Consequently, it represents (yet another) usurped power.

Re:4th

The encrypted material might have contained something hazardous like a Uwe Boll movie. The risk of one of those being released to the public far outweighs any privacy or Constitutional concerns. Memories of House of the Dead and Bloodrayne still make me wake up in a cold sweat. Just imagine one that was considered unreleasable. Terrorist can kill thousands but a Uwe Boll movie can injure millions, or at least the hundreds that actually see them.

Re:4th

[ScrewMaster]

Do you really expect the founding fathers to have anticipated computing devices that can encrypt data?

And furthermore, there's a reason that the Founders didn't try to enumerate specific communications technologies: they figured (apparently incorrectly, given your statements) that we would be able to logically extend our legal system to accommodate new technology, without requiring the citizenry to give up hard-won civil liberties as enshrined in the Constitution. It looks like some people are just unable to grasp that "personal papers and effects" might, I mean, just might, include a personal computer, and that that would indeed be in the spirit of the Constitution.

Do you really, in your heart of hearts, believe that the Founding Fathers, if they were alive today, would consider a hard drive full of a citizen's personal and confidential files to be in any way less deserving of the same legal protections afforded someone's wallet or their file cabinet? Do you really? Or are you one of these people who believes that the government should have the right to snoop into anyone's private business, for any reason, because they might have something to hide?

Spare me. This artificial dichotomy that is being presented to us by the government, that the "Internet" and "computing" are so intrinsically different from printed materials that the Constitution some how magically doesn't apply is disingenuous at best, treasonous at worst.

Re:4th

[evanism]

At least the RIAA and MPAA are not grabbing my penis, fondling my beasts or rubbing their hands all over children yet.

This airport theatre is OBSCENE, ethically and morally wrong on EVERY level.

Those who are able to justify it makes me think they are unhinged.

Re:4th

[raddan]

*ugh* giving up mod points here, because I am sick to death of hearing this "activist judge" crap.

Go ahead: please tell us how you would enforce the 4th Amendment without "interpreting" the meaning of "unreasonable".

Re:4th

[QuantumG]

There's a 4th amendment exception around airports and borders.. they can search you for *no reason*. If you don't think that is fair, you're not the only one.

Work in law enforcement, national security, or for a politician? Want someone you want searched but can't get the probable cause for a warrant? No worries, wait for them to fly, search 'em at the border and find something suspicious.. now you can search the rest of their property.

Re:4th

[TheLink]

Heh it'll be funny if more US citizens start finding it less hassle to sneak into their own country like illegal immigrants.

Re:4th

[NewtonsLaw]

I have to say that after my last trip (on business) to the USA, I would never consider it a suitable tourist destination for myself or my family.

From the moment I debarked the plane at LAX I very much felt that I (and everyone else) was being treated like a criminal.

How dare we (foreigners) enter the glorious US of A -- the most wonderful nation in all the world?

The gentleman who walked the very long queue of people waiting to clear immigration repeatedly threatened (not warned -- *threatened*) all those present with severe penalties if we didn't correctly fill out the forms he was handing out.

The official who inspected my passport didn't welcome me to the USA and invite me to enjoy my stay -- the treated me (and everyone else) with massive suspicion and contempt -- making it very clear that *they* had all the power and that I was a someone who ought to be eternally grateful for being allowed to enter the country.

Is that really the way to treat visitors?

And as for the latest usurping of citizens rights in respect to searches -- well I feel very sorry for the USA.

It is (although perhaps somewhat less-so these days) truly a great nation, built on principles of integrity and freedom. Unfortunately (as they say) "Power Corrupts" and it would appear that those in power have seized the opportunity to use terrorism as justification for unreasonably extending the degree of power they now exert over the people who elected them to *serve*.

Every day that the sacred provisions and protections of The Constitution are ignored by the US Government is another day on which the Islamic fundamentalists can claim another victory.

Instead of fighting on their feet, the citizens of the USA are now living on their knees -- having compromised the very principles (The Constitution) that made their nation so great.

Of course it *is* a democracy so perhaps those of you who are US citizens might want to think about exercising those democratic rights (before they too are taken from you in the name of "the war against terror" and installing a government who appreciates that the principles of The Constitution are still worth fighting for and that no bunch of Islamic fundamentalists should be allowed to usurp them by way of a campaign of terror.

Perhaps it's time for a referendum to allow the US people to decide whether the constitution should be abolished because right now, it appears that such an abolition is happening by stealth -- and by the time the people wake up to that fact, it may well be too late. The very rights this document bestows on citizens will be lost and thus even the power to protect those rights will have gone forever.

Just my 0010 cent's worth.

Re:4th

[protektor]

Umm I think you missed the news announcement. They are already testing this at bus stations and train stations. So there is no need to wait, it is already here.

Here is the TSA patting people down at a bus station.
http://www.youtube.com/watch?v=_hT8hfrak9I

Looks like the TSA are already at train terminals.
http://www.youtube.com/watch?v=ORdBoG8qv9w

So it would seem that they are only left with us traveling by car. Although I hear that they have vans with the scanners in them and are going to use them at the borders to scan cars without people getting out them. Here is the company that is selling them.
http://www.as-e.com/

So it only a matter of time before the TSA is everywhere scanning everyone at the rate they are going.

Link to longer article at CNET

Link to longer article at CNET

Finishing the story

[the_other_chewey]

took his laptop and two cell phones and asked for the passwords needed to access the encrypted material on them.

...didn't get them, gave him back his hardware and let him go.

Really, why try to sensationalize a story by omitting its outcome?

The fact that something as diriculous as "incoming data storage devices searches" even
exist should be enough of a story by itself, and that has been known for quite a while.

Great, now it's trash.

[VortexCortex]

I would never trust my hardware again once I had handed it over to some customs (or other government agent) goons, and it left my sight. I would rather just remove the hard drive and hand it alone over to them, at least then I wouldn't have to trash the whole thing.

There's really no way to be 100% sure you successfully "re-flashed" the BIOS, or cleaned all hardware as some posters have said they would do. Not to mention: There could be additional hardware installed, 5 hours is a long time...

You could tear your machine apart and inspect it all you want, but it's well known once the enemy has unfettered physical access to a device, all bets are off.

Re:The constitution is pretty vague.

[afidel]

I'm still not giving up my passwords on fifth amendment grounds even if I have nothing to hide. In fact I've told a TSA goon exactly that when they asked me to login to my laptop at a screening checkpoint. They could see it wasn't a bomb from the xray and by me powering it up, the only thing that logging in could have possibly done is get me into trouble for the contents of my machine.

Travel Tip

I travel to the US a lot for business. What I do is Fedex my "real" hdd to the hotel I'm planning on staying at, usually 1 day before travel to the US is enough for it to be there waiting for me when I arrive at check-in (obviously its an encrypted disk).

I travel with my laptop, with a small capacity hdd that has a clean install, some common oss apps installed, some bogus documents downloaded from scribed, some fake e-mail accounts with credentials saved in firefox and some typical surfing history. The aim is to make them feel like they've found the stuff they're looking for and that there isn't anything worth pursuing - rather than trying to be a smart-ass that makes them even more intent on performing those unwanted rectal examinations. I've had my laptop taken twice in the last 3 years, and on both occasions after providing access details, I was given the laptop back within 5-10mins, other people i know that tried to screw over the TSA/customs by not providing all the access details they wanted, ended up never seeing their machines again.

Though now with the new scanners at play in the airports, I'm trying to reduce my travel to the US to a minimum. If I have to travel, I charge a premium for the various inconveniences endured, most clients are sympathetic and pay without much fuss.

What's so important to warrant harrassing millions

[mykos]

I can't think of a single thing that could be carried on any laptop that warrants the harrassment of millions a year.

Even if a 9/11 scale event happened every single year, it would take more than four years to match a single year of alcohol-related deaths in the U.S.

Re:First Post

[uolamer]

I brought a just an internal sata hard drive to Canada from the US, while in Canada I wiped it clean. On the way back into the US they stopped me for a few hours.. They seemed to not get the concept of bring just a hard drive, I think if it would have been an external drive they wouldn't have gave me so much grief. When I got home there were large files all over the drive.. I can only assume they did that to overwrite anything hidden on the drive, which there wasn't. I found it to be a long waste of time and the people to be a bit clueless.....

Re:First Post

[Dan541]

Data has nothing to do with customs. They are overstepping their jurisdiction just to bully people.

Re:First Post

[e4g4]

Regardless of how long it takes, there is no reason to search laptops at the border. Anyone truly interested in slyly transmitting data across the US border would never be foolish enough to accompany said data on the trip. It is _trivial_ to transmit data undetected into the US (nice to meet you, internet. how long have you been there?); what justification is there for searching laptops in the first place?

Re:First Post

[zmollusc]

Next time, take a broken hard drive with you. That will give them a challenge. :-)

Re:First Post

[JockTroll]

You know, you should have brought the HD to the authorities and explain that some terrorist mole at Customs had placed unknown files, probably containing steganographed information, on your drive for later "retrieval" by burglary and that you were rightfully afraid for your life because the terrorists obviously wouldn't be willing to leave any witnesses behind. That would have been a giant hoot.

Re:First Post

[Nursie]

Without people looking for vulnerabilities in SSL and publishing the results there would be other people looking for vulnerabilities in SSL and not publishing, just using them to steal.

Security crackers that publish their results are essential to making sure we are really secure, not that we just think we are.

Re:First Post

[corsec67]

So, Customs tried to erase all of your data on that drive? (If the drive was in a file system that they didn't recognize, like EXT3 or such, then writing files would destroy data)

Actually, why would customs mount the drive in a way that it could be modified at all? It seems like if they can modify it, anything they found would be tainted.

Re:First Post

This gives me the idea of building a slightly custom drive. It's not hard to do, really; remove the platters and there's plenty of space inside, then just put a cable to the outside controller board, concealed under it. The first idea that comes to mind is a drive that happily accepts all write and erase commands, yet presents a read-only filesystem.. say, with a troll image.. or better yet a *different* filesystem each time it's powered. Have fun imaging that. If you want writable storage, it could do a straight log of what the intrusive party did to the drive. The technology is near identical to current hybrid hard drives.

Re:First Post

[GameboyRMH]

As for the second, please explain how in the fuck you get labeled a "white hat" for showing up at black hat conferences and showing everyone how to MITM SSL?

Black hats don't hold conferences (in meatspace). There's just a conference called Black Hat which, by the nature of information from the conference being made public, is actually a white hat conference. It actually started out as something closer to a true black hat conference but of course that didn't last long.

Black hats have their conferences in various chat rooms and forums. When they meet, you don't know about it.