Ask Slashdot: Securing a Journalist's Laptop Against a Police Search?

Bruce66423 writes: In the light of the British police's seizure of a BBC laptop what is the right configuration and practices to ensure that such a seizure provides zero information to the cops? This post from Thursday might be a good place for some ideas, but that one's expressly about securing a Chromebook; what would you advise for securing a more conventional laptop? (Or desktop, for that matter.)

Securing your laptop? Only one way

[fustakrakich]

Shred it...

Re:Securing your laptop? Only one way

encypt the drive and use an rsa keyring fob

Re:Securing your laptop? Only one way

[Z00L00K]

Seems to be overkill.

It's probably better to have only sensitive stuff encrypted and hidden, that way it will be harder to determine if it contains interesting stuff. You may feed cops with some information, but only information that they essentially can figure out anyway.

Re:Securing your laptop? Only one way

[davester666]

Remember, this WON'T be "cops", ie, some drone poking around seeing what they can find. If it's at all interesting [as in, you are a journalist that is doing something that the government is interested in], your computer HD will be cloned and sent off to the NSA to be decrypted.

You better have it encrypted using a very high-quality algorithm, with a very good password that they cannot confiscate from you [like on a usb stick or keyfob].

Re:Securing your laptop? Only one way

[ArmoredDragon]

I personally use Windows EFS on my entire c:\user\myname folder, and that whole folder is backed up to a zero knowledge storage provider. I do this for my desktop and laptop.

Unless you save documents outside of that folder (which by default, 99% of all applications store it somewhere in that folder) then it's not likely to be retrievable.

AFAIK, Windows EFS uses AES-256 as a block cipher, with RSA-2048 or ECC-256 for key escrow (you can do up to RSA-16,384, or ECC-512.) AFAIK not even the NSA is able to crack either of those. The weakest link would be your password, with shorter passwords being easy to break (complexity, i.e. mix of case, special characters, numbers, isn't anywhere near as important as length) so use one that's 15 characters or longer.

Re:Securing your laptop? Only one way

Doesn't matter; nothing can prevent them from destroying it.
(Can't remember the specifics, but it has happened in the past.)
Multi gig stuff is close to edible, I'd suggest being a info-mule
and transport your data that way. Or ship it Fed-X if that's
available.

Re:Securing your laptop? Only one way

[rtb61]

In management of secure information it is more appropriate to take a manageable series of secure step to ensure security of some of your data not necessarily all of you data and to try to prevent the to mixing.

So logically it makes sense to dual boot your device. A more active dual boot, so the normal boot is from built in storage with only as much security that you could be bothered with and the other boot is from portable media, preferably something very compact and secure, an encrypted memory card.

This creates good security habits. You only have the memory card accessible when you are going to use it, you are creating a separate secure digital environment even secure from bad programs on your fixed storage you a creating security conscious habits. The memory card itself super easy to hide away and secure from hidden built in enclosures in other devices to something as simple as a small adhesive bandage and if you need to lose it in a hurry it is really easy to do. You would also most definitely boot to Linux and not to Windows or Apple or Android, a known safe and secure Linux Distribution with only the applications you need and nothing more. A conscious act to enter secure mode and a concious act to leave secure mode and do other stuff.

So securing the data now becomes how not to lose the memory card and how to back it up it case you lose your primary secure media.

Re: Securing your laptop? Only one way

How about rubberhose filesystem?

Re:Securing your laptop? Only one way

[BlueStrat]

The only reliable way to protect your data from government thugs is to change the government such that there are no government thugs wanting your data.

Anything else is a band-aid and temporary at best.

Strat.

Re:Securing your laptop? Only one way

[clovis]

The only reliable way to protect your data from government thugs is to change the government such that there are no government thugs wanting your data.

Anything else is a band-aid and temporary at best.

Strat.

That is the final step in the process.
Step one is getting people to realize there's a problem.
And that's why journalists need to have their information protected, and that's why the goons want to get their hands on it.

Re:Securing your laptop? Only one way

[arth1]

Seems to be overkill.

Not really. Would you really take back a computer that the government hackers have had in their possession and then decrypt the data on it?

Re:Securing your laptop? Only one way

[arth1]

That is the final step in the process.

I can think of a few steps that are even more final than that...

I'm not elucidating, due to the fifth amendment to the constitution.

Re:Securing your laptop? Only one way

Lol!

AFAIK not even the NSA is able to crack either of those

They don't need to, they'll just log into Microsoft and get your key.

Closed-source encryption can never be trusted.

Re:Securing your laptop? Only one way

[Skewray]

I also put the laptop in an evidence bag. If the bag has been opened, I can toss the laptop.

Re:Securing your laptop? Only one way

[Antique+Geekmeister]

> The only reliable way to protect your data from government thugs is to change the government such that there are no government thugs wanting your data.

Since all governments will want, and are likely to insist upon, access at will to private documents, I wouldn't expect this plan to work. The Russians tried replacing a horrible monarchy with "the people's government" and wound up with Lenin and Stalin and abuses the equivalent of anything the czars committed.

Re:Securing your laptop? Only one way

[AHuxley]

Yes the different types of software that a nation can use/buy/create will just look for any signs of encryption. Names or terms in OS logs, times, formatting attempts.
Detection of hidden "random like" data structures or past use of an application is not hard to uncover.

Re:Securing your laptop? Only one way

[Z00L00K]

Well - I can always install games on it and give it away to some kids.

If NSA installed spyware on it then they will be busy with that for a while.

Re:Securing your laptop? Only one way

[AK+Marc]

Buy a laptop with an SD card slot. Put all files other than OS and some games on the SD card. Hide the SD card inside your luggage handle when passing through security. Or FedEx it to your destination. Encrypt if excessively paranoid. The stock SD card slot won't generate excessive interest, they won't even know to look for or expect it. If you are overly concerned, use a micro-SD card in an adapter, leave the adapter in your slot, but hide the micro card anywhere, slipped behind the tag in your underwear would survive a strip search.

If you don't have an SD card slot, take two mirrored HDs outbound, and send the used one back while installing the "spare" for the return trip.

Hiding the data is better than encryption. Encryption is easy to break if you have the person with the key in a locked room and a $5 wrench (well, 5 quid spanner, for the UK).0

Re:Securing your laptop? Only one way

[ArmoredDragon]

Neither can any encryption tool that you haven't personally audited line by line.

Re: Securing your laptop? Only one way

It's not like they don't have plenty of those to replace the opened one...

Re: Securing your laptop? Only one way

And even if you have audited it line by line, no guarantee that you will detect flaws

Re:Securing your laptop? Only one way

It's probably better to have only sensitive stuff encrypted and hidden, that way it will be harder to determine if it contains interesting stuff.

Cop logic dictates that if only some things are encrypted, then those things are automatically interesting to them, more so than if the entire thing were to be encrypted.

Re:Securing your laptop? Only one way

[BlueStrat]

The only reliable way to protect your data from government thugs is to change the government such that there are no government thugs wanting your data.

Since all governments will want, and are likely to insist upon, access at will to private documents, I wouldn't expect this plan to work. The Russians tried replacing a horrible monarchy with "the people's government" and wound up with Lenin and Stalin and abuses the equivalent of anything the czars committed.

That's actually a key concept and also a key reason for keeping government as decentralized and local as possible. The more concentrated & centralized government power is, the quicker it falls to corruption and outright despotism and tyranny.

That was also one of the reasons the US Constitution was written so as to allow the central government only a few limited powers and keep as much of the governing affecting individuals as local and accountable as possible.

Sadly, the US has over the last ~100 years, moved away from decentralized and accountable governance to become a top-down, centralized-power, crony-capitalist fascist surveillance-state oligarchy.

Strat

Re: Securing your laptop? Only one way

Actually the evidence seems to swing the other way. Once a civilization has anything worth stealing, larger governments tend to be much more stable and less corrupt. Tin pot dictators,are horribly corrupt, but the Russian mob has to are the system work.

Re:Securing your laptop? Only one way

[AutodidactLabrat]

May I remind you that the anti-progressives of the Bush admin built the entirety of the TSA and that the NSA is an EISENHOWER monster?
Hmm?
That 100% of the civilian intelligence business was created not to protect from foreign spies, but from American pot smokers?
Is your grasp of history so blank that you ignore those truths?
Remember, America was a totolitarian state from the time J.Edgar built his dossier on every potential lawmaker in the pipeline!

Re:Securing your laptop? Only one way

[AutodidactLabrat]

How are "many local governments" less dictatorial than one accountable to all citizens?
I remind you of the reality of America, instead of your myths
America was "the greatest generation" when 72% of workers were unionized
America was greatest when UNEARNED income was taxed at 91% with exceptions for socially approved uses such as charity and long term investing
America was greatest when Corporations had no legal voice in electing or UNelecting anyone
America was greatest when Corporate giveaways were uniform, nationwide, thus restraining whipsaw tactics
America can be greatest again, but only by making the Corporation an ARM of the small citizens, with the professional,interlocking directors of boards of Corporations banned.

Re:Securing your laptop? Only one way

[chihowa]

The weakest link is the part where you upload all of your data to a "zero knowledge" storage provider. "Zero knowledge" just means, "I promise not to look at your data (yet)."

Re:Securing your laptop? Only one way

[BlueStrat]

How are "many local governments" less dictatorial than one accountable to all citizens?

Because the individuals in that government are your friends & neighbors and as such are much more accountable than some bureaucrat 2,000 miles away. If the laws, rules, and regulations where you're at are unsuitable, you can choose to move somewhere where they are a better fit.

Alternately, you can also choose to change the local laws, rules, and regulations where you're at and have a far better chance at changing a local government than a behemoth centralized bureaucracy 2,000 miles away.

I remind you of the reality of America, instead of your myths

For which you only provide your own myths and opinions as evidence.

The US has been on a steady and increasingly-rapid decline since Progressive policies and programs have increasingly been enacted and promulgated. The correlation between the instituting of Progressive policies and programs and the decline of the US tracks together closely. Take a look at Detroit as a shining example of what 40+ years of Progressive policies and programs can accomplish.

Strat

Re: Securing your laptop? Only one way

If the po seizes your laptop at the airport, how are you going to destroy it? Better find someway to encrypt and/or arrange to have the data destroyed somehow after it is seized and out of control.

(of course, they can remove the drive and read it on another system, or use a very reliable decryption method that involves a claw hammer/pliers and your exremities/fingernails, or be disappeared forever if you succesfuly have the data destroyed. You are most likely fucked in this situation no matter how you slice it)

Re:Securing your laptop? Only one way

[tehcyder]

Encryption is easy to break if you have the person with the key in a locked room and a $5 wrench (well, 5 quid spanner, for the UK).0

In the UK, if you don't give them the encryption key you can go to jail for up to two years. No spanners needed.

Re:Securing your laptop? Only one way

[houghi]

We have that information. Nobody cares.

And most of the information is not handed over or even handled by journalists.

Probably you are thinking about freedom of the press. That means that the press is free from intrusion. For me freedom goes both ways. A free press is not only one that is not influenced directly. It is also one that does not influence directly. So they should not be paying political parties 5nor their sister companies) or they should be taken away all the rights that come with freedom of the press.

So, no the reason is not to control the media. That is done on a much higher level. It is about some frustrated mall cop who finaly got a real uniform and is pissed off because he was not alled to have sex with his wife.

The public knows. They are aware. They are not interested. Persons are smart. People are stupid.

Re:Securing your laptop? Only one way

[strikethree]

I personally use Windows EFS on my entire c:\user\myname folder, and that whole folder is backed up to a zero knowledge storage provider.

Yowsa. You trust Microsoft not to have a backdoor into the encryption scheme that they provided to you? Go ahead and tell me I am wearing a tin foil hat... Recent events have proven even creepier than the distrust that I am showing here.

(CAPTCHA is outwit, lol)

Re:Securing your laptop? Only one way

[AutodidactLabrat]

Simply FALSE.
Remember, it is those "friends and neighbors" who ban any religious practice on public land EXCEPT Christianity
Those same "Friends and neighbors" refused for 120 years to prosecute even ONE Klan Night Rider
Remember the State Troopers barring black young men and women from College?
Sure you do
The "Friends and neighbors" are simply more easily controlled by the wealthiest and most rabid
No, you are simply wrong.
Then again, all of Libertarianism is simply wrong.

Re:Securing your laptop? Only one way

May I remind you that the anti-progressives of the Bush admin...

LOLwut?

Bush is one of the biggest Progressives in the Republican Party along with his brother Jeb. Progressives are not limited to one major Party.

Laptop

[fyngyrz]

Don't store your information on the laptop in the first place. Just use it as an editing and remote-access tool over a secure connection or to a USB stick you don't expose to search procedures.

That's about the best you can do, short of memorizing everything.

Encrypt the laptop, and you could lose it. Just let them search it top to bottom, then when they're done and you're wherever you're going, wipe the hard drive, reinstall your OS, and carry on.

It's really not a great idea to carry information you need to be secure around with you.

Re:Laptop

[Applehu+Akbar]

Does anyone make a little ruggedized case for an SD card that you can swallow?

Re: Laptop

It's called a micro-SD card. They are already hermatically sealed. Just paint some fingernail polish on the contacts to prevent corrosion and you are good to go. They also make micro thumb drives that aren't much bigger than the connector. Squirt some silicone up in there and you are good to go.

Re:Laptop

Trojan?

Re: Laptop

[GrantRobertson]

This!

I'm not saying this is the way to go for all needs. Personally, I hate to use web apps for everything. But, for complete security when crossing borders, your info should just stay home.

Re:Laptop

[allo]

Why? Break it in two parts and its very expensive to restore data. Drop it into the toilet and flush. Nobody will find it.

Re:Laptop

[peragrin]

Why swallow? Micro SD is small enough to hide in your shoe. Rip the inner sole slightly and carve out a tiny slot. The police might check your shoes quickly but they won't look close. The metal will block scanners.

Re:Laptop

Why swallow? .

That's what she said.

Re:Laptop

[BitterOak]

Why swallow? Micro SD is small enough to hide in your shoe. Rip the inner sole slightly and carve out a tiny slot. The police might check your shoes quickly but they won't look close. The metal will block scanners.

Even at airports, you're required to take off your shoes and have them X-rayed. I'm sure a targeted search by police would be at least as thorough.

Re: Laptop

[gweihir]

And once they suspect that, they will just x-ray you, like they do for drugs. And then wait until it comes out and maybe slap a few extra charges on you.

Re:Laptop

[w3woody]

You could use one of these...

Re:Laptop

[peragrin]

Most shoes and sneakers have a strip metal along the sole for rigidity. Take an old pair apart sometime. I always seem to break the inner soles of my footwear. That is how I know.

Unless they see something obvious you can hide a microsd card there without an issue. I have yet to see a police officer do more than a quick visual inspection tion/ X-ray of shoes.

Re:Laptop

[Z00L00K]

Better to have a specially designed clothing or coat buttons to store the microSD in.

Re:Laptop

[tchdab1]

Basically, don't do anything they don't want you to do and stay away from anywhere you could be seized. And if you're not sure what that is, don't do anything.
Millennial democracy?

Re:Laptop

wipe the hard drive, reinstall your OS, and carry on

No. If an investigator has attached anything to the laptop or taken it where you can't see it, the laptop is no longer trustworthy. Wiping the hard drive is not enough! Laptops have multiple firmwares in flash memory. There is code which runs before the operating system and code which runs side by side with the operating system in system management mode or even on separate processors. Detecting manipulations is very difficult, and certainly impossible for a layman. Leaking typed passphrases is almost trivial once you have firmware access.

A better choice of computer is a low cost computer with as little firmware as possible. A Raspberry Pi or some other computer with no onboard storage is a good choice. With a Raspberry Pi 2, a micro SD card is all that needs to be kept secret (and you can encrypt the data on it). In case of a search where the computer, keyboard, mouse or display are taken out of your sight, you can buy new ones cheaply and just keep using the same micro SD card.

Re:Laptop

[fyngyrz]

No. It isn't. If you get caught intentionally trying to smuggle, it'll go poorly for you. Just don't carry it in the first place. There's no actual need to, so why do it?

Re:Laptop

Those don't hide sd cards from an airport x-ray. I saw pics on a site that sold hollow coins about 6 months ago, but I can't find it now. It's pretty obvious too.

You'd have better luck coating it in vinyl and hiding it under your tongue, which would foil most metal detectors and allows you to chew, swallow or spit it out if you don't accidentally inhale it.

Re:Laptop

[Jane+Q.+Public]

Micro SD AND Truecrypt.

Re:Laptop

Keyring USB stick.

Re:Laptop

That's about the best you can do, short of memorizing everything.

This is actually the solution. Learn some mnemonic techniques. Don't memorize absolutely everything, but do memorize (and never write down) any key information that would compromise sources. This is the reason why spy agencies still use code-words for agents.

Re:Laptop

[NotQuiteReal]

Well now that we know about the hollow coins, there will just be a "leave a pound, take a pound" exchange set up as you go thru security.

Re:Laptop

[JustAnotherOldGuy]

This is actually the solution. Learn some mnemonic techniques.

Some people use a passphrase form a commonly accessible book (i.e. the bible, War and Peace, Aesop's Fables, To Kill a Mockingbird, etc). Just find a section you want and use the next 5 or ten words without spaces as the passphrase.

You don't even have to memorize it because this stuff is easy to locate online. Search to find the verse or section you want, locate the string of words, and there you go.

Re:Laptop

Seriously, how many of you are giving bad advice on purpose. Search online to find the section that contains your passphrase? Why don't you mail the passphrase to the NSA so they can remind you in case you forget it? Five to ten consecutive words from a classic book without spaces between them? Do you have any idea how small that keyspace is? You probably do, don't you.

Re:Laptop

[SwashbucklingCowboy]

"Just use it as an editing and remote-access tool over a secure connection or to a USB stick you don't expose to search procedures."

Forget the "secure" connection. There's a much larger attack surface there for people to exploit.

Re:Laptop

[Zero__Kelvin]

"Five to ten consecutive words from a classic book without spaces between them? Do you have any idea how small that keyspace is? "

You clearly don't.(It is exceedingly large in fact)

Re: Laptop

Or put rubberhose fs on it?

Re:Laptop

... "leave a pound, take a pound" ...

Spy coins also available in Australian, American, Euro denominations. So carry a real coin for the exchange, or move the card to a spy coin of an unwanted denomination. Since there's no reason to hide your coins, the spy coin should be stored somewhere unobtrusive but not secret. An additional layer will be a story of luck/sentimental value for the spy coin.

But the real problem is hiding it in the first place. If the card exists somewhere it shouldn't, such as inside a coin, it's automatically viewed as criminal. If one knows one's media cards will be stolen, hiding it is a necessary risk. If one's media cards are unlikely to be stolen, then one need only hide the data (steganography, misnamed encrypted files) stored on the laptop/camera/etc. Plus, of course, there should be an off-site (off-person) backup.

Re:Laptop

[ahodgson]

I doubt there's a law against carrying a low-value SD card in your shoe.

Re: Laptop

When you are detained, the toilets go into a special holding tank that is screened. Usually this is because of people trying to ditch drugs, not data.

Re:Laptop

[AbRASiON]

"Encrypt the laptop, and you could lose it."

Sorry but I suspect encrypted or not, it's extremely unlikely it wouldn't be taken anyhow. That's just how this stuff is. With a very very long process in getting it back to boot.

Re:Laptop

[arth1]

I have a couple of micro-SD cards hidden inside a USB thumbdrive. There's plenty of space for them, and an X-ray scan will just show layers of small chips, just like what's already in a USB thumbdrive.
I seriously doubt that anyone would think to look there for extra data storage. Well, until I posted this, that is...

Other possible places include inside the key caps on full size keyboards, inside RJ-45 and HDMI sockets, in the clamp of metal watchbands (with a wad of fluff on top to hide it from casual inspection), the sheet battery or docking station connectors of laptops, or inside a personal vibrator (the yuck factor will be too high for it to likely be disassembled).

Re:Laptop

Absolutely this. If the data isn't there to seize, then they can't seize it. SSH to another box (or a proxy) and then X/RDP to a machine that has your stuff. Even if your laptop gets confiscated/stolen/broken you don't lose the data, and they can't retrieve anything from it unless you give them the path to get in. You don't smuggle cards or drives of stuff that can be decrypted with enough time and energy.

When Mitnick was on the run for all those years, that was exactly the method he used. The only thing that screwed him at the end was he went to servers unencrypted, so he was vulnerable to a MITM at the end. Tunneling everything over SSH or a VPN with replay detection/protection would protect you for the most part.

Re:Laptop

That's actually a very good idea. The USB thumb drive could also store decoy data. Information you have permission to share but didn't; this would serve as fuel for anyone looking for anything when they see it's unpublished but don't know that you simply chose not to use it.

Re:Laptop

If the hardware left your control, even once, then you can never trust that machine again since there's no way to be certain that the hardware wasn't tampered with, to install a keylogger for instance, in such a way that even wiping the drive and re-installing the OS would be ineffective.

Re:Laptop

With a very very long process in getting it back to boot.

After the government has installed whatever bugs or keyloggers they want? No thanks, it's not worth the effort at that point. Use cheap laptops, encrypt them and accept the fact that if one of them is ever seized, you're never going to use it again or likely even get it back.

Re:Laptop

that's good if they're not actually watching you. if they are, you might as well email the passphrase to them...

Re:Laptop

[TechyImmigrant]

I doubt there's a law against carrying a low-value SD card in your shoe.

In many countries, including the one I left, there are laws making it illegal to withhold the contents and keys when they find it.

Re:Laptop

[TechyImmigrant]

With a very very long process in getting it back to boot.

After the government has installed whatever bugs or keyloggers they want? No thanks, it's not worth the effort at that point. Use cheap laptops, encrypt them and accept the fact that if one of them is ever seized, you're never going to use it again or likely even get it back.

The thing I don't get is why everyone assumes that every government is out to get the data on their laptop.

I deal with crypto and governments and I travel a lot. I've never been asked to reveal the contents of my laptop or usb sticks. An Israeli once asked me to show it booted, so he had some reason to believe it wasn't a bomb.

If you carry stuff around in your laptop that would compromise you in some way, by all means protect that information but I don't believe all the people posting the paranoia rants really do.

Re: Laptop

[AK+Marc]

Micro SD, hidden inside the hollow luggage handle. Or, the thought I had was that you could slip in behind your underwear tag. They'd have to x-ray you, and all of your clothes while you were naked to find it. If you have more details on the search procedure and know that won't make it through, a band-aid with the SD card under it would make it past, so long as they don't take it off and x-ray it separately. But if they are going to that level, you'd only make it past if you slipped it into someone else's luggage. Make friends with the person next to you. Slip your SD into their carry-on, and meet them after for a drink, or give them a free ride, as you have your car parked at the airport, and they were planning on a $100 cab ride to their destination. Then ask them if they found your card in their luggage, it must have fallen in when you were playing with it on the plane.

Or post it separately.

If they start x-raying everyone for internal concealments, I'll be eating safely coated lead balls so they waste time waiting for me to poop lead balls. After all, who knows what could be inside.

Re:Laptop

[AK+Marc]

There's a chance they'll x-rays shoes. What they won't do is x-ray all your clothes if they strip search you. So slip it behind the tag of your underwear. I pick that over the shirt because people are less likely to spend a long time staring at your underwear.

You could even slip one inside a band-aid (between the adhesive back and the sterile pad), which wouldn't get a lot of scrutiny, at most, pulled off to take a quick glance under. Or sewn inside your luggage or something in your luggage. Meybe hidden in plain sight, inside the camera in your luggage.

Re: Laptop

[neurosine]

I was going to make this same suggestion.

Re: Laptop

Could it be that you are not a journalist exposing crimes committed by the government or a friend of a journalist carrying information for him?
There is likely a distinction in how you are treated by officials if you write or are friend of someone that writes about either US or Russian governmental malpractices / crimes.

Re:Laptop

Or even better a one time encrypted drive. Someone else at another date could carry the pad.

Re:Laptop

[nospam007]

"The thing I don't get is why everyone assumes that every government is out to get the data on their laptop.
I deal with crypto and governments and I travel a lot. I've never been asked to reveal the contents of my laptop or usb sticks."

Give us your real name and we'll change that.

"An Israeli once asked me to show it booted, so he had some reason to believe it wasn't a bomb"

That's why you should always put your bombs in the second harddisk bay, that way you can boot it on demand.

Re:Laptop

[fyngyrz]

I absolutely guarantee you, if they ask you if you're carrying something, you say you aren't, and they find out you are, you are going to have your plans severely disrupted. Unless "detention" is your idea of a proper result of crossing a national border.

Re:Laptop

[fyngyrz]

That's not really the issue for a border crossing. You're not exposing that attack surface at the border. There is no attack surface at the border, because there is no data being manipulated.

In the general case, don't write it down and don't store on a computer, and don't tell anyone anything about it.

Then you have some security. Until they start smashing your toes with a hammer, of course.

Re:Laptop

[monkeyzoo]

You mean VeraCrypt. The TrueCrypt driver now has known critical vulnerabilties.

Re:Laptop

[monkeyzoo]

The OP is asking about journalists. So, your advice amounts to don't be a journalist. Not very helpful.

Re:Laptop

[monkeyzoo]

Not a secure idea...
https://theintercept.com/2015/...

Your secret password trick probably isn’t very clever

People often pick some phrase from pop culture — favorite lyrics from a song or a favorite line from a movie or book — and slightly mangle it by changing some capitalization or adding some punctuation, or use the first letter of each word from this phrase. Some of these passphrases might seem good and entirely unguessable, but it’s easy to underestimate the capabilities of those invested in guessing passphrases.

Imagine your adversary has taken the lyrics from every song ever written, taken the scripts from every movie and TV show, taken the text from every book ever digitized and every page on Wikipedia, in every language, and used that as a basis for their guess list. Will your passphrase still survive?

If you created your passphrase by just trying to think of a good one, there’s a pretty high chance that it’s not good enough to stand up against the might of a spy agency. For example, you might come up with “To be or not to be/ THAT is the Question?” If so, I can guarantee that you are not the first person to use this slightly-mangled classic Shakespeare quote as your passphrase, and attackers know this.

The reason the Shakespeare quote sucks as a passphrase is that it lacks something called entropy. You can think of entropy as randomness, and it’s one of the most important concepts in cryptography. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion.

Even if you don’t use a quote, but instead make up a phrase off the top of your head, your phrase will still be far from random because language is predictable. As one research paper on the topic states, “users aren’t able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language,” meaning that user-chosen passphrases don’t contain as much entropy as you think they might. Your brain tends to continue using common idioms and rules of grammar that reduce randomness. For example, it disproportionately decides to follow an adverb with a verb and vice versa, or, to cite one actual case from the aforementioned research paper, to put the word “fest” after the word “sausage.”

Passphrases that come from pop culture, facts about your life, or anything that comes directly from your mind are much weaker than passphrases that are imbued with actual entropy, collected from nature.

Re:Laptop

This is common sense even for people who are not doing stuff that is illegal, just because gangs are getting smarter. Yes, you have the meth-heads, but fences know they can't really sell laptops and cellphones... but they do know that if the data is accessible, they can use that for extortion, blackmail... or just some good old fashioned trolling. As a college student, I remember one classmate who had their laptop stolen, and the thief logged onto her college page (she had her passwords saved), dropped her from all classes, just because he could.

First thing... consider the threat at hand.

My laptop is at "tier 1" (encryption is OK) of threat level. This means, I have something stronger than a password for authenticating to it. I use a TPM + PIN + USB key, so if the laptop is stolen, and I have physical possession of the USB drive... that laptop is not going to divulge its secrets. If someone grabbed the USB flash drive, the TPM will keep exponentially adding the amount of time between guesses, and if someone pulls the HDD out and tries to brute force it... well, they are going against the 256 bit AES space, since there is no guessable human-typed password. My threat level is mainly meth-heads, so if the encryption is good enough to get them to format it, it does the job.

My Mac... similar. I have a "low security" user that is the only one that has a key in Time Machine. The password for that is obnoxiously long. One that password is in, I log that user out, then switch to my main account. The fact that there is a bug with 2015 MacBook Pros [1] adding some security to obscurity can help things.

The next tier (where obvious encryption would get one "freed" of "excess" fingers, toes, and ears) is if I were travelling to another country where I know I'd be "asked" by their border security for access to the laptop. On that laptop, I have little encryption, other than the TPM set (no PIN/PW/USB key) to boot to the user. From there, I have some dummy documents in the account. The TPM boot will catch an evil maid attack and stop any unwanted software installs (especially if my user has no admin rights on the machine), but won't be be in-your-face security that raises eyebrows.

From there, I use the laptop as a terminal, using a VPN client, and RDP or Citrix to remote in (via 2FA, of course) and do my business dealings like that. If the laptop gets seized, it might have some some random documents locally about a bogus unannounced product... but nothing else. When the laptop is used as a terminal, the RDP connection is done inside a virtual machine which is rolled back when done. This way, there are no palimpsets about where the VPN was to, or where the RDP connections went. On a typical 7200 RPM laptop SSD, the redo log files are effectively gone the minute they are deleted and a manual TRIM command run. Yes, the attackers can have full access to the VM... but there isn't anything in there to point to where it was used. Yes, one can use a history erasing tool... but it is obvious to any goon that it is being used, and is cause enough to pull out the rubber hose or the electrodes. Tier 2 is running "dataless", as well as adding plausible deniability.

[1]: If you don't reset the PRAM via command-alt-P-R on boot with some models of 2015 MBP + Time Machine, the keyboard and mouse will boot up in a locked state (where it only accepts typing for 250-400 milliseconds and stays locked for 5-60 seconds, randomly), preventing password entry. This was in Yosemite, and is in El Capitan. Only real fix is to power cycle, and reset the NVRAM. Set the NVRAM lock to only allow booting from the selected drive... and one will have to boot a few times, get the recovery screen and decrypt the drive for access.

Re: Laptop

There are easier ways..

1. Create a website somewhere..
2. Write a PRNG in javascript, using some pre-choosen seeds.
3. Enter the wanted password. This will be one of the seeds to the PRNG and get a blob of data. Lets call this blob key1

For the SD card:
1. Install a live linux-system on the SD card with networking and a web-browser. ( Crypt-loop with a password would be preferred to protect against the most basic attacks )
2. Generate a blob of random data and put on the SD-card. Lets call this key2.

For the contents of the SD-card:
1. Generate a list of sha256 of all files on the SD card and store somewhere.
2. Generate a list of sha256 for all files on /boot on the HDD and store somewhere. (if running linux that is)
List should be signed and stored in a way where you can validate that the signature checks out to make sure they have not been tampered with. (keeping a paper with the public key in your wallet may be enough)

When arriving at the destination:
1. Boot the live linux-system.
2. Check the signatures of the sha256-lists.
3. Check the sha256 sums on the contents of the SD card and /boot on the HDD.
4. Call a friend that will bring up the web-server. (or automate it and bring it up via a SMS)
5. Open the web-page in the browser.
6. Disconnect from the network. (all generation should be done in javascript)
7. Enter your password and re-generate key1.
8. Pick a fresh and empty USB key and save key1 to the USB-stick.
9. Copy key2 to the USB-stick
10. Boot from HDD and let the initrd generate the decryption-key from key1 + key2.
-- Away you go..

If you want some extra security, and another computer at the destination, just keep key2 on the SD card. When arriving at the destination download a fresh copy of the bootable system on the SD card.

If you have not had the computer with you at all times and suspect that it might have been "investigated" do not connect to network. Use a seperate system to generate the key to unlock the harddrive and use that system to copy all data from the HDD to a fresh HDD and then scrap the old laptop and HDD.

* Please ignore all spelling-errors and such.. a bit tired here..

Re:Laptop

That's why you should only carry a part of the key with you and the other part you collect when arriving at the destination.. (friend sends his part of the key when you arrive at the destination.)

If they break you they can only get half of the key.. And as long as your friend is not within their jurisdiction they will have a hard time recovering the other part..

As long as you make this a practice whenever you travel they cannot charge you with "destroying evidence" or similar since you use it as a standard security-routine whenever you travel..

Re:Laptop

That's why you don't withhold, you give them the safe key, they decrypt and discover nothing special. Or simply "forget" what the key is.

Re: Laptop

[Mal-2]

Wait, isn't there a movie about this already?

Re:Laptop

[KGIII]

I once got arrested for drinking in public (case dismissed, they just wanted me to stop being an idiot) and I made it through a strip search and the mandatory shower while wearing a Fentanyl patch on my arm. I was getting out in a little while, bailing out, so I gave it to another inmate. Fentanyl is a very strong opiate and the patches are akin to the nicotine patches - transdermal. The funny thing is, they thought I had drugs on me so I was searched by three officers at once. They were too busy messing with my shoes and clothing, so they never noticed the patch.

My point is, not all searches are equal. 'Snot much of a point, I guess, but there's a chance of making it through so long as you don't bring attention to it, act exceptionally nervous, or give them cause to be more complete.

Re:Laptop

[KGIII]

I think you just met someone who still has "faith in the system." They're a rare breed around these parts. I think we may need to start putting a few out on the range for preservation sake. That or a zoo...

Re:Laptop

[KGIII]

I am on the road, sort of, and I certainly don't even have any data worth stealing. Yet, at home, I have a box running Lubuntu and running a VNC server with secure connections enforced and only allowing access for a specific IP address (my VPN). I use any old laptop that I have with me, often just for a Live USB, and connect to my VPN, then my home server, and then access the web. I even do this for typing this post.

I don't even have an email client configured on this particular computer - that's accessed by connecting to the remote machine. There's ample power at home and a UPS, a real one and not some pseudo thing from APC, so I've not had a problem. If worse comes to worse there's a failover system and, absolute worst, I have a laptop that's set to resume when power returns should that happen - that's my tertiary backup.

ll were properly configured and tested prior to leaving. The house has a security alarm and cameras so I *might* know if there's a physical intrusion. This isn't even 'special' data, not by any means, it's just that I'd prefer to be moderately secure. Hmm... How has it been of benefit?

I was still on the road when the Ubuntu family of 15.10 dropped so I used the remote machine to grab all of the 64 bit versions and set them to share as torrents. I don't have to worry about the hotel's wireless being snooped on as my data is encrypted. I get to access my NAS from remote. If someone steals my laptop then I'm good to go in an hour or less. When I go to Canada or come back, there's nothing for them.

I also encrypt and upload a few things. I'll put some in various different services and some on my own server. Sure, I never know where what is but I know where it all is and can find it. That way I can still use eTrade when I'm bored. I have shared service through my credit union so I don't need to do any online banking and I never do.

I'm sure it's not 100% secure, nothing is. It's secure enough for my needs and has an acceptable risk profile. I used to carry around quite a bit of proprietary code and other data. Keeping things encrypted and choosing the least risky method is kind of a habit. I know that nothing is secure, it never will be, but if one wants complete security they'll never get anything done.

Re: Laptop

[allo]

And then? They need to know what they are searching for.

The card is broken, so you cannot recover it. The card is down the drain, so they do not know it was there, when they are interrogating you. When they find it afterwards ... no problem, you do not know about it.

Re:Laptop

[TechyImmigrant]

Well I don't put bombs in things. It's not the kind of thing I do. I'd prefer the additional disk space.

Re:Laptop

[TechyImmigrant]

They can charge you with withholding the key. In the UK, your attempts at evasion would land you in jail.

Do we have to go through this again?

https://xkcd.com/538/

Re:Do we have to go through this again?

[AmiMoJo]

The key is to have no way to decrypt the laptop, then they can't force you to. Make sure someone else has the key, preferably in another jurisdiction (i.e. country).

Re:Do we have to go through this again?

[BitterOak]

The key is to have no way to decrypt the laptop, then they can't force you to. Make sure someone else has the key, preferably in another jurisdiction (i.e. country).

That could land you in prison in the U.K. Legislation in that country required you to decrypt data for authorities on demand. Losing or destroying the keys is no excuse.

Re:Do we have to go through this again?

[gweihir]

Indeed. That British law is not about right or wrong, it is about enabling them to do it to you for daring to encrypt things they want.

Re:Do we have to go through this again?

[AmiMoJo]

The police have to show that you have the key for there to be a prosecution. Otherwise they could just lock anyone up by demanding that they decrypt /dev/random. For safety you have should make sure you can prove that you don't have the key.

Re:Do we have to go through this again?

[BitterOak]

The police have to show that you have the key for there to be a prosecution. Otherwise they could just lock anyone up by demanding that they decrypt /dev/random. For safety you have should make sure you can prove that you don't have the key.

First of all, there's never any way you can prove you don't have a key. Period.

Secondly, I don't think you're correct about the law. I think the law requires you to be able to decrypt any encrypted data you have (/dev/random is not a file; it's a device), or any encrypted communications you have engaged in. My understanding is that it is effectively illegal in the U.K. to use communications protocols which employ perfect forward secrecy for that reason. (There are exceptions for some SSL web traffic, I think, but I could be wrong.) I'm not a lawyer though, so I could be wrong about my second point.

Re:Do we have to go through this again?

[JustAnotherOldGuy]

The police have to show that you have the key for there to be a prosecution.

Unfortunately, these days they can just insist that you know the key, or claim that they know you know the key, and you'll probably sit in jail for quite some time before they let you out (if ever).

It's hard to prove you don't know something, especially if you've encrypted data that they want. Their reasoning (to the judge) will be, "Who would encrypt data without a way to decrypt it, your Honor?" and most judges will go "That makes sense."

And frankly, it does make sense. Why would someone encrypt their data if they didn't have a way to decrypt it?

Re:Do we have to go through this again?

[AmiMoJo]

The onus is on them to prove you know it. So far the only times this has happened is when the person was accessing the data recently and they had proof, e.g. log files showing a recent mounting of the drive. If you can demonstrate that you set up a system where you made sure you didn't know the key, you should be okay.

You have to be careful to create evidence though, because e.g. just securely deleting the data by overwriting with random bytes could screw you. You can't unlock it, and you don't have proof it isn't encrypted data, and they have some evidence that you used the machine recently...

It's still a risk even if you do it right of course, because they could decide to ignore the law as they sometimes do, but that's a risk no matter what you do. If they are willing to ignore the law then it doesn't really matter what you do, does it? Your fully wiped laptop will mysteriously acquire some child porn, your empty pocket will produce a flash drive full of classified documents etc.

Re:Do we have to go through this again?

[Kjella]

First of all, there's never any way you can prove you don't have a key. Period.

Nobody's proven that the Star Trek teleporter is impossible either, but if you were in New York and is charged with killing a man in San Francisco five minutes later you have a very strong alibi. Documented procedures that show you wouldn't be given the key and testimony saying the procedures were followed is as good as evidence gets in a court room. History can't be turned into a reproducible experiment, you only have the information that's been observed, recorded or might be gleamed from the leftovers. It's not the same standard of "proven" as science since history is obviously not reproducible, it happened once and all you have is evidence and testimony about it. Whatever information was lost, is forever lost and you can't get it back.

Re:Do we have to go through this again?

[arth1]

And frankly, it does make sense. Why would someone encrypt their data if they didn't have a way to decrypt it?

Who's to say it is encrypted data? I tend to do this to SSDs first thing I get them:
dd if=/dev/urandom of=/dev/XXX
The reason is partially to thwart compression schemes and make sure that the drive really can handle being full of uncompressible data, and partially to enter "worst case" write amplification as early as possible, so I know what the real worst-case speed of the drive is, and not get nasty surprises later
Of course, after that, any unpartitioned space on the drive will be indistinguishable from, say, a truecrypt unpartition. But I sure can't decrypt it, because it doesn't have encrypted data on it. Probably.

Re:Do we have to go through this again?

[Antique+Geekmeister]

> First of all, there's never any way you can prove you don't have a key. Period.

I agree with your reasoning. This is what steganography is for. One secure key can be used for secure data, the other for much less critical, "personal" data of much larger volume, such as personal correspondence and shopping lists.

Re:Do we have to go through this again?

[cas2000]

It's entirely normal to send encrypted mail that is encrypted so that only the recipient key(s) can decrypt it and not the sender key.

In fact, with PGP and gnupg you have to go out of your way (i.e. use a special config option or command-line option) to encrypt a file so that the key used to encrypt the file or message can also decrypt it.

With gnupg, that's the encrypt_to option.

Re: Do we have to go through this again?

So you honestly thing a tyrannical government will give a rats ass that your say you don't have the key? You are standing in the way of what you want. Maybe they will decide the solution is to keep you locked in a prison of horrors until the third party holding your crypto keys turns them over. Scream and cry all you want to go to your embassy - how will you force them to take you there? In that situation it boils down to who has the bigger gun and it won't be you. The best bet is not to play childish games, let them search a data free laptop and be on your way.

Re:Do we have to go through this again?

Just keep part of the key with you and the other part with a person in some other jurisdiction and orders to that person to destroy his part of the key after 1 day if you don't contact him..

Who destroyed the evidence? You? Your friend? Do you have to testify against yourself and tell them who has the second part of the key? Could they force you (legally) to call your friend and pretend you where at the destination and have him give you the other part of the key?

Re:Do we have to go through this again?

[KGIII]

Not really directed at you but more an addition to your post...

What I find disturbing is this talk about proving one's innocence. That's not how the justice system works, or should work. The burden of proof is on the State to prove that you either, more likely than not, committed the offense or that a reasonable person would conclude, beyond reasonable doubt, that you committed the offense. The former is for civil offenses and the latter for criminal offenses.

You should never, ever, have to prove your lack of guilt.

One other thing, the Western courts do not typically find people innocent. They find them 'not guilty.' For who among us is innocent, after all? (Some weasel words included because defining "Western" may be difficult and I am not aware of specific operations for each and every court.)

Easy

Easy: Store nothing sensitive anywhere on the laptop. Make sure all browsing history/data is wiped before the laptop is every put to sleep/hibernate.

Re:easy

Why remove the hard disk before leaving?

Just pull it out when you get to your destination and put it back in when you leave for home.

Or leave it in the whole time. Linux won't touch a Windows partition unless you specifically instruct it to. If you really want make sure, encrypt the hard disk. Boot it up and put it into standby just before the checkpoint. and they won't even know it's encrypted.

Complete Deniability that data exists

[gurps_npc]

Whatever kind of encryption you use should have the ability to use alternative passwords - an unlimited number of them. So enter password (A) reveals your tax records, password (B) gets pictures of naked 30 year old men. But enter password (C) and you get clear pictures of Mr. Cameron violating a dead pig. When they demand your password, give them password A. If they get all torture-ish you give them password B.

Re:Complete Deniability that data exists

How would you implement something like this?

Re:Complete Deniability that data exists

[gurps_npc]

Truecrypt did something similar using what they called a hidden container system. But Truecrypt is no longer secure.

Re:Complete Deniability that data exists

But then they'd know you were using a scheme with multiple passwords and would then have an incentive to continue with enhanced interrogation tactics to see if you have any additional passwords.

Best to just give them the consolation prize up front and give them no reason to think your scheme implements multiple passwords.

Re:Complete Deniability that data exists

[grub]

But Truecrypt is no longer secure.

Are you sure? Last I read was they shut down the project with a vague statement like that but nothing to back it up. The recent audits showed it was still a good product from what I remember.

Re:Complete Deniability that data exists

[kbonin]

TrueCrypt probably triggered their warrant canary and the dev team decided to call it quits, since NSLs are so much fun to fight for people living in the formerly free country known as the US. In the mean time, code forked and picked up here: https://veracrypt.codeplex.com...

Re:Complete Deniability that data exists

[grub]

I use VeraCrypt. Was wondering about the claim of TrueCrypt being insecure.

Re:Complete Deniability that data exists

[RDW]

Some flaws the audits missed were discovered a month ago, at least on Windows:

http://www.zdnet.com/article/t...

Re:Complete Deniability that data exists

[kbonin]

Nobody has found any real crypto weaknesses in TrueCrypt to date, in public or in any of the private crypto groups I know of. This article claims that two TrueCrypt driver bugs expose systems to a privilege escalation attack, and these have been fixed in VeraCrypt: http://www.itworld.com/article...

Re:Complete Deniability that data exists

I doubt it. While NSLs are a problem, there isn't a law that exists that would force TrueCrypt developers to secretly compromise their software to make it easy for police to decrypt TC-encrypted files. Even if there was one, I doubt it would pass constitutional muster.

Re: Complete Deniability that data exists

Ah the popo decided to visit....

Re: Complete Deniability that data exists

Is there a tool out there that allows this? Let's hope it's not illegal to have pictures of naked 30 year old men. In certain middle eastern countries that would get your head removed from your shoulders, or at least a lot of nasty jail time.

Re:Complete Deniability that data exists

[monkeyzoo]

All correct. But TrueCrypt's hash security is a,lso aging and rapidly approaching (if not already at) the marginal level. VeraCrypt has also fixed this.

Re:How about this...

Unlike common criminals, try cooperating with the police. You'll be better off in the end for it generally.

What if the police have become criminals themselves?

Re:How about this...

Pick up that can.

Don't have anything for them to find

[Todd+Knarr]

Best bet is simply not to have anything for them to find. Store your data on a thumb drive (that you'll carry or ship separately) or upload it to your own server or a service like Google Drive or Dropbox, encrypting it or not first, all depending on how sensitive the information is. Delete it or secure-wipe it or wipe the whole drive and do a complete factory restore on your laptop depending on how invasive you think the search might be. Then let the cops search all they want, they won't find what isn't there.

NB: Linux makes a better platform for this than Windows. On Windows bits of your files can end up in the oddest places to be found during a scan of the drive. On Linux it's easy to set up a separate partition where all your data will go and be certain it didn't leave traces anywhere else, and that partition can be secure-wiped and reformatted without messing up the OS installation in the process. Plus the cops are less likely to be familiar with Linux, and you can play the dumb-non-techie card of "I dunno, it's whatever the guys in IT put on it. I just follow the instructions to run my programs and everything works.".

Re:Don't have anything for them to find

[LVSlushdat]

Tell me my tinfoil hat is on too tight if you want, but I *strongly* suspect its NOT going to be *too* far in the future when those of us who refuse to use Windows and use Linux instead will be charged with violation of a yet-to-be-passed law, but one that is almost surely to be passed by the authoritarian thugs that currently infest most governments. For all we know, this sneaky Transpacific Partnership abortion thats making its way thru the halls of congress may have the beginnings of such in it, and since we, the unwashed plebes, are not privy to its contents, heaven only knows what is in it. Both the US and UK are diving at a faster and faster rate down towards blatant totalitarianism.. When you look at the many traffic analylsises that have been on Microsoft's latest offering, you start to wonder if they've not gone into partnership with the NSA to fill up that giant datacenter in Utah with everything you do on your Windows machine. This being the main reason I suspect it won't be too long before those of us who don't suck at the MS tit, will be persecuted for using an OS that doesn't feed the MS/NSA behemoth... Before you accuse me of being paranoid, stop and think about what I said.... Glad I'm 65 and not a youngster growing up in this ever-increasing totalitarian world...

Re:Don't have anything for them to find

None of this will work if it's a targeted search, especially not in locales where they will hold you for extended periods of time when their suspicions become aroused.

Re:Don't have anything for them to find

[Todd+Knarr]

Yes, but if you're dealing with a situation where they'll hold and interrogate you for an extended period even if they find absolutely no evidence at all then you have bigger problems than how to keep them from finding anything. In that situation the only way to avoid this is to not go there in the first place and if you have to go there the question's more along the lines of how do you get in and out without them finding out you're you along the way. And that frankly is seriously out-of-scope for this kind of forum.

Re:Don't have anything for them to find

[maugle]

I doubt Linux would be banned entirely (it's in use by too many big businesses), but I could see only certain "approved" distros being allowed. I'm sure Red Hat would jump at the chance to be the sole government-approved official Linux provider, and I doubt they'd even think twice about including a few "special" government-provided packages in their base installation.

...assuming they don't do that already.

Re:Don't have anything for them to find

Police and law enforcement have always needed to have access data and to be able to track criminals through communications as well as other things. In the past this was relatively easy, phones were easy to tap, you could easily access documents, and most crime was more face to face.

The internet has really changed all of this. I am not sure how why the it should be this sacred cow where people feel that watching traffic on it is some great violation which is somehow new and where we are plunging into a police state.

The fact is computers and the internet are relatively new. They are being used to commit crime on a scale never seen before, and where criminals have tools which allow them to easily hide in plain sight. While physical crime such as bank robberies does occur, the losses are tiny compared to cyber crime where criminals are getting away with far more money. Would we tell a bank that they can't have cameras? If not why would we limit the ability to track traffic on the internet.

The reality is the chance I will be targeted by the government is tiny, while my chance on getting hit by cyber crime is significantly higher. Given that, asking the question should law enforcement be neutered so that they have limited to no ability to track cyber crime, or should we allow them to have the tools and ability to track down and prosecute criminals, the answer seems easy to me.

Re:Don't have anything for them to find

[JustAnotherOldGuy]

Best bet is simply not to have anything for them to find. Store your data on a thumb drive (that you'll carry or ship separately) or upload it to your own server or a service like Google Drive or Dropbox, encrypting it or not first, all depending on how sensitive the information is.

Bingo. This is the only way to avoid the whole mess of having data for them to become suspicious of in the first place. Don't have anything for them to find or become suspicious of.

Once they find encrypted data most law enforcement authorities will automatically assume something nefarious, and even if they don't, they'll still want to see what it is.

And they'll use the old "We think it might be child porn" as an excuse to hold you for as long as they can get away with (and these days that may be forever).

Re:Don't have anything for them to find

Nah. Taking away our freedom will come in a much more insidious form, one that will give spineless bastards room to sling insults at those who can see what's coming.

Re:Don't have anything for them to find

There is healthy paranoia, paranoia, tinfoil hat paranoia then we move into the realm your in. I am not going to make fun of you as I think you really should see a therapist. It takes a special mind to come up with the idea that the most popular OS on the planet, billions of devices, hundreds of millions of server (many run by the government) are all going to become illegal, and all because they are in a secret pact with the devil (MS). Seriously, if the government wants to see your shit they are in a far better position with Linux, it is open, freely available and easily subverted..

Re:Don't have anything for them to find

Were you asleep during the Snowden disclosures? You are already a target of the government. Your communications, social network, and etc. already exist in a government database that you have no say over.

Re:Don't have anything for them to find

I doubt Linux would be banned entirely (it's in use by too many big businesses), but I could see only certain "approved" distros being allowed. I'm sure Red Hat would jump at the chance to be the sole government-approved official Linux provider, and I doubt they'd even think twice about including a few "special" government-provided packages in their base installation. ...assuming they don't do that already.

They could roll it right into systemd!

Re:Don't have anything for them to find

[AHuxley]

The OS created log files could be a hint to other networked data or a device in use in the control of the user. The next request would be the password to your backup cloud please or to show the device.

Re:Don't have anything for them to find

[101percent]

Most people involved--such as Edward Snowden & William Binney--do not want "law enforcement neutered." Some of the things the feds are doing is completely outside of law with no public scrutiny and narrow compartmentalized oversight. Even the more radical folks like Jacob Appelbaum are proposing very basic things that can be done to make the internet safer for all of us.

Re:Don't have anything for them to find

[Lennie]

Wouldn't be surprised if Microsoft caved. The architecture of Skype changed when Microsoft bought the company, it's no longer p2p. They are really helpful with providing access to data of former Hotmail.

But a much bigger problem is the rules in the US (at least for us foreigners, I'm in Europe, they'll probably get the data of the people in the US too):
https://media.ccc.de/v/31c3_-_...

The rules talks about remote compute, so my guess is it applies to: VPS, 'Cloud computing'/IaaS, PaaS, SaaS and all those kinds of services.

My problem is not with my data, I know where my data is and if it's encrypted. I put it there.
The problem is with companies that have data about me: insurance companies, banks, telecom providers and the 3rd parties they deal with. I do not directly control where they keep my data.

Re:Don't have anything for them to find

[houghi]

You are aware that they do not care if the data is on the HD of your device? They want to access the data or use it to incriminate you. If they are at that stage, they already know you have it somewhere.

Depending on the country you are in, they can make your life a living hell if you don't hand it over.

What is discussed here are technical solutions to social problems. They do not work. They never work.

Re:How about this...

[wickedsteve]

https://www.youtube.com/watch?... http://www.kirkpiccione.com/10...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How about this...

> Unlike common criminals, try cooperating with the police. You'll be better off in the end for it generally.

Sigh... Dont Talk to Police

Not possible

[gweihir]

In the British Police-State, that is not possible, unless the journalist is willing to go to prison for failing to disclose an encryption password. Forget about "plausible deniability", that is for kids and morons. It does not work in practice.

The time to protect essential freedoms in Britain is past, and the battle (pathetic though as it has been) is lost. Anybody now trying to protect itself will just be classified as a "terror supporter" and that is it. Expect concentration camps to be opened soon.

Re:Not possible

Forget about "plausible deniability", that is for kids and morons. It does not work in practice.

Citation needed. Something like Truecrypt's hidden volumes (not that anyone sane would use that particular software now, but maybe there are alternatives) should work just fine in theory, providing you are careful and don't leave breadcrumbs. For those of you unfamiliar, Truecrypt provided a way to create encrypted blobs which would contain multiple volumes accessible via separate keys. The idea was you could, when compelled, provide the key to a decoy volume which might contain something mildly embarrassing but not incriminating. The authorities would have no way to prove or disprove you were withholding the key to any further secret volumes. Unfortunately the software was discontinued a year or 2 ago in somewhat suspicious circumstances, widely believed to have been a 'canary' warning of being compromised by intelligence agencies.

Re:Not possible

[gweihir]

Enough has been written about the utter stupidity of "plausible deniability". It is almost impossible to be "careful and don't leave breadcrumbs" even for experts. Go land yourself in hot water if you like. But don't say you were not warned.

Re:Not possible

[AmiMoJo]

Recent events don't seem to support that assertion. The Guardian was able to handle the Snowden files without being imprisoned or losing them. Okay, some MI5 goons made a show of destroying a few laptops, and the footage ended up on YouTube and the stories were published anyway.

The BBC's mistake was not protecting their journalist's data properly. If you take precautions, it's possible. In this case, if they had used a live CD so there was no trace, and protected the contract details with encryption the police would probably have been screwed. They could have tried to prosecute for not decrypting, but then there would be a huge legal battle over it, taking years. They only did this because they were able to do it by the back door, in a way that made it hard to resist.

Re:Not possible

Forget about "plausible deniability", that is for kids and morons. It does not work in practice.

Citation needed. Something like Truecrypt's hidden volumes (not that anyone sane would use that particular software now, but maybe there are alternatives) should work just fine in theory, providing you are careful and don't leave breadcrumbs. For those of you unfamiliar, Truecrypt provided a way to create encrypted blobs which would contain multiple volumes accessible via separate keys.,,,

Oh, FFS.
here's a clue, the section of the polis who're interested in the contents of said laptop are not your average plods...they're well aware of hidden containers etc. The scenario is;
Journo: 'Oh Yes, Mr Plod, here's my key...
Plod: 'Thank you for your co-operation Citizen, now, your other key for the hidden container is?'...'
Journo: 'There is no other container...you cant prove there is one'
Plod:(with large grin) 'Gotcha! smart arse, you can't prove there isn't one, so you're now in breach of section 49 of the RIPA(2000) sonny... you're fucking nicked..'

Re:Not possible

[gweihir]

That is the main non-technical problem. The main technical one is that you must not use the cover OS installation to protect the hidden area (which is glaringly obvious) or that the hidden area must be protected against overwriting (which is glaringly obvious).

The whole thing is a smart idea that completely falls on its face when confronted with technical and non-technical realities. Unfortunately, most people are far too much removed from reality to see that and hence live in this fantasy-world where this idea works. Kind of why the evil fuckers that make these considerations necessary were voted into office in the first place: People are generally stupid.

Re:Not possible

[gweihir]

The question was about an individual journalist. If you have an organization large and well-known enough to be hard to touch and somebody with real courage on the top, then you have a chance. But the editor of the Guardian _was_ willing to go to prison, if that was what it took. And that _is_ what it takes in a police state slowly going towards full-blown fascism.

Re:Not possible

seriously dumb. most technical people know about encrypted and hidden drives. professionals in computer forensics would have zero problems locating such a hidden partition from ANY of the available varieties. The idea that you could hide it so perfectly and not leave breadcrumbs is laughable. DON'T take it with you if you don't want it searched, it is as simple as that.

Re:Not possible

[linuxrocks123]

Care to share some links? The only thing I'm aware of that you may be referring to is that the Windows implementation of TrueCrypt has a bug where it doesn't properly exclude the hidden filesystem from search indexing or somesuch. The concept is sound. And if you're using hidden volumes, you really should be using live CDs to inspect the hidden volumes anyway.

Re:Not possible

[linuxrocks123]

Even in the UK, they must prove that there is a key and that you at one point had access to it in the past year. If they prove you had access to the key in the past year, then the burden shifts to you to prove that you no longer have access to the key.

It's a bad law, but don't spread disinformation about it. And the US situation is much, much better.

Re:Not possible

The hidden volume is protected by being inside the decoy volume, which you don't modify after setting it up. The decoy volume can be protected overtly (by having it inside a file of the host OS, for example) because you don't need to deny it's existence. If you're paranoid I don't see why you couldn't set up a arbitrary number of nested volumes, with increasingly sensitive material on them, but keep the critical stuff in the innermost one. The interrogators would have no way of knowing how many levels there were.

As for the GP's post, that's describing a situation where you can be detained indefinitely and without evidence, and it has not quite reached that stage in the US or the UK (everyone convicted under RIPA was stupid enough to incriminate themselves, for instance).

Re:Not possible

[gweihir]

Don't be lazy, google() yourself. The whole idea is utterly disconnected to reality. Of course there are a lot of bright-eyed morons that think this thing is actually going to help. It is not.

Re:Not possible

[gweihir]

The hidden volume is protected by being inside the decoy volume, which you don't modify after setting it up.

Which happens to be glaringly obvious.

Re:Not possible

[linuxrocks123]

Assertions without evidence are not credible. If you can't or won't support your claim, why are you making it?

Re:How about this...

[gweihir]

That one is true even in budding fascism as the British now clearly have.

Re:How about this...

[93+Escort+Wagon]

Unlike common criminals, try cooperating with the police. You'll be better off in the end for it generally.

Yeah, in this case I'd have to agree with you. According to the article, the police went to a judge and obtained a court order to get the information - so if you don't provide it, be prepared to sit in a jail cell until you change your mind.

I do think these laws are overreaching and need to be rewritten (and rescinded in some cases) - but the police were following the letter of the law here.

Re:How about this...

That's very bad advice sometimes, when it is. You're advocating 4th amendment roullette. Moronic.

It's sad, but can you really trust them?

[DreamMaster]

It's an unfortunate sign of the times, but I've read far too many articles about people being arrested and jailed for unknowingly violating the technicalities of various different laws.. consenting partners under 18 being jailed as sex offenders and being listed for life, insulting heads of state or reporting on human rights abuses, jailed for having cartoon porn / weird tentacle thing stuff from Japan that still gets branded as child pornography, or even for whistle-blowing. And particularly for America, reading in recent times, the attitude of border agents that they're outside the law and no-one has any constitutional rights.. frankly, if you are a journalist reporting about things your government (either American or elsewhere) are doing, you'd be a fool not to have everything strongly encrypted, and give them the leisure to browse through your stuff to find something to charge you with.

Tails and remote storage

[klingens]

On your Laptop there is a normal Windows installation which is not used for work. Only for stuff like browsing the web in the evening at the hotel. mails to the kids, etc.
On a USB stick on the keychain there is a copy of Tails https://tails.boum.org/index.e...
You rent some VPS or root server in a country of your choice, under a different name, preferably paid via cash. This is the place where all the data for work is stored. encrypted.
This server you only access via Tails which uses Tor by default.

If you can't do this, you put an encrypted VM onto your Laptop which happens to have the data for work and you write your stuff or access the web for work related research only in this VM. Again using a distro like Tails.

Re:Tails and remote storage

[gweihir]

The VPS+Tails idea is about the only one that can work. Better write nothing down though and better make sure your tails copy is always current and cannot be tampered with. Incidentally, renting a VPS with cash is impossible almost everywhere, but you do not actually need to. Just make sure it is a country that is unlike to cooperate with your enemy. In addition, better make sure to only work on it via hidden service or it may well get attacked by "hackers" in some routine government-sponsored break-ins.

The encrypted VM is an exceptionally stupid idea though.

Re:Tails and remote storage

To elaborate: encrypted filesystems like Truecrypt store the encryption password in RAM. Virtual Machines store RAM persistently on the unencrypted filesystem. This makes "cold boot attacks" significantly easier to perform.

Re:Tails and remote storage

[gweihir]

Indeed. An that is just one of the problems.

Re:Tails and remote storage

That's why you encrypt the entire disk. If you're not starting there, you're doing it wrong.

Re:Tails and remote storage

Incidentally, renting a VPS with cash is impossible almost everywhere, but you do not actually need to. Just make sure it is a country that is unlike to cooperate with your enemy

You can use a pre-paid credit card and refill it by paying cash. Although you might be caught on surveillance video at the place you used cash to refill the pre-paid credit card.

Re:Tails and remote storage

Forget remote storage. You can't trust the network, since its 100% tapped by GCHQ/NSA now. If MPs can't guarantee their discussions are secure, (which is surely GCHQ's real role before it became infested), then its unlikely journalists will manage it.

GCHQ has made it clear that MPs are not covered by the Wilson doctrine (no spying on politicians), and their feed to NSA and General Alexanders memo akin to "forget the 5 eyes agreement, keep any sensitive data on our partners if its useful to us". Means you cannot trust the network transfer of the private data. It's one more attack vector to that data.

The forced "give us the key" provision in UK law won't work well against journalists anyway. They backed down when they tried it on the Guardian newspaper over the Snowden leaks.

It's not as clear cut to say "UK = police state", because its in transition. Fewer privacy rights, a spy agency more loyal to foreign powers than the Parliament or law. Parliament repeatedly attacked to reduce its standing vs the security apparatus. Rinse and repeat.

Who exactly fed MP Tom Watson that "pedo ring in Parliament" just before Theresa May pushed *yet*again* to try to legalize GCHQ mass surveillance with the Snoopers Charter agains 'pedos'? Likely the same group, the claims when exposed were ludicrous yet little snippets were leaked to make it sound like a plausible investigation.

You can see the pattern again and again. e.g. US wants to pass a "Cyber Security" bill which is really "mass surveillance" and handily at the same time the head of the CIA gets his AOL email hacked. If he'd been using the CIA email system then it wouldn't be justification for spying on non governmental email systems, hence his AOL account is used. Does anyone seriously think the head of the CIA logs in to AOL to do his business email? He wouldn't even be responsible for setting up the email account, that would be a Net Admins job.

http://edition.cnn.com/2015/10/27/politics/john-brennan-email-hack-outrage/index.html

Re:Tails and remote storage

[monkeyzoo]

Correct; so you always power down before traveling. Problem solved.

Re:Tails and remote storage

[monkeyzoo]

Mmm. I was talking about TrueCrypt (or now VeraCrypt) vanilla. I see you meant in a VM environment, so never mind. ;-)

Re:Tails and remote storage

[gweihir]

Oh, and that large, encrypted WM image is not going to raise suspicion? On what planet do you live?

Re:Tails and remote storage

[twitnutttt]

Suspicious?!?
"Of course my hard disk is encrypted, officer. It contains my personal data and I don't want that ending up in the wrong hands if my laptop is lost or stolen."

Re:How about this...

I agree. Those damn blacks in the 60s should've just kept themselves out of white facilities like the police told them to do. How dare they fight against injustice.

Re:How about this...

[Teun]

What do you mean, 'budding' fascism?

Have you forgotten in the late 1930's the UK had the largest Nazi party outside of Germany?
And it's leader was a member of the royal family.

Yes I know there is a small difference between Nazism and Fascism.

Re:How about this...

[Lunix+Nutcase]

If I'm not a common criminal why should I put up with being treated like one? Not all of us love choking down authoritarian cock like yourself.

If you're in Britain

[physicsphairy]

Don't store anything on the laptop. The fact they can legally compel you to provide the means of data access means you are in trouble in every case which they have possession of both you and your laptop. You can either do a really good job of hiding the data or you can keep it outside of where they can get it. How about a remote server a trusted person can deactivate if they hear about your situation?

Re:If you're in Britain

[hcs_$reboot]

Additionally, work on your waterboarding endurance.

Short answer

[overshoot]

Don't have a drive in it. Don't have bits that they can claim to find suspicious. No excuses, because even (or perhaps especially) if they don't find anything on your laptop they'll confiscate it anyway to have the boys back at the shop take it apart ten ways from Sunday.

When you arrive, buy a new drive and load it up. How? Well, if you're visiting a field (or home) office, they'll have a disk image handy for you to use. If there are private bits that you haven't shipped over yet (SRSLY? They travel faster than you do, after all) then you can take them along. The border peeps aren't interested in doing cavity searches on everyone, after all, and short of shredding all of your clothing as well as the rubber-glove treatment they're not likely to find a micro-SD.

Trickery.

So for one, securing it won't do much, everyone loves to coerce passwords and harass the hell out of you. The best way is to hide the data in such a way a forensics utility won't catch things and it will take a significant amount of effort to find the data, and if they do, it's very difficult to determine who's culpable.

1: Switch the label of the hdd with one of a similar model but lower capacity, then use a data hiding utility to store data in a hidden boot partition. A Sector scan might pick up on the data but only if it's not encyrpted; if you encrypt it, then it's practically impossible to find as the data is indiscernible from junk (given you fill the drive up with data that you then delete). If memory serves the PCI-E Config register can't be overwritten and will store the true model number so you can spot this but then it's a "I thought the manufacturer made a mistake, honest!". Pretty easy to scan in the label, modify it, clean the surface, print out a new one on a zebra printer, use an exacto knife to cut around the sucker and stick it on there. If you buy one refurbished from a no-name vendor, even easier to give yourself plausible deniability.

2: MicroSD and BootCD's. Load a Plain win7 install, make it look mundane. Have your disposable linux bootcd, boot that up, and use it to get to the internet and to view and edit pictures and footage to store on MicroSD. MicroSD's are so small you can sneak them through anywhere, they basically have to shred everything to find one. You can sew them into a patch of clothing, cut a slot in the bottom of a boot and fit it in, et-cetera.

3: Stenography. Lots and lots of utilities here to hide stuff in word documents.

4: Save your encrypted data as a video file and upload it somewhere. Old trick for getting data out of a firewall; compress it as a video stream and reassemble on the remote side.

5: Ship it internationally. Again, MicroSD.

6: Have a friend taking a completely different unaffiliated trip sneak it through for you.

Re:Trickery.

[gweihir]

1. (Most stupid proposal so far): That will fail by a simple look-up of the HDD serial number which the HDD reports via SMART command.
2. Ever heard of x-rays? You know, like they use in airports?
3. Lots and lots of forensic tools that can detect that.
4. Uh huh. About as obvious as just ssh-ing to your remote server. Nothing gained at all.
5. Again, x-rays.
6. An have that friend go to jail as a "data mule" instead. Only good piece of advice in here. Utterly immoral though.

Re:Trickery.

[overshoot]

Yes, it's possible to find MicroSDs -- if you do a full-up fine-tooth-comb search. Which takes hours and pretty much destroys everything in its path. If you've really pissed off the Powers That Be, they might. Then again, they've probably done the same thing to your office, home, car, and anything else you've been near recently anyway so why start worrying at the airport?

Otherwise, the major danger is that your brand-new Alienware machine looks like it would be better off in someone else's collection and the "confiscation for the sake of search" is just an excuse. Which is why you're better off without it (get another on arrival) or at least leaving the hard drive at home. The MicroSD chips aren't what they're after and finding the one in the heel of your shoe is more trouble than it's worth.

Re:Trickery.

Don't hide your SD cards in secret locations.

Just encrypt them and put them in your wallet or put it into a legitimate pocket of your luggage. Nobody can jail you for having a SD in your wallet. Plus if the wallet/pocket is noisy enough with coins and cellphone chargers the x-ray screener won't give a damn.

The card isn't hidden, its just stowed. As of yet you don't have to declare every flash drive and SD card on your person and luggage.

Invest in a 4G account

[Teun]

In the UK you can be forced to hand over keys so keeping anything, encrypted or not, on the laptop is a no-no.

Get yourself a 4G account and mail the Veracrypt file to a safe country.

Re:How about this...

When you are not a common criminal but an uncommon criminal then you have additional problems. An uncommon criminal seeks to inform the public of the illegal and or immoral actions of their government. The police are usually just doing their jobs and may not like the outcome of what they have to do but it almost never stops them. Much of the good advice on this thread involve not putting the police in an uncomfortable position. In almost all situations but this one cooperating with the police is a good idea.

1, 2, 3

[chill]

1. Use Linux for the simple reason you can separate partitions. Create a separate /home partition that mounts on an encrypted removable drive, like an Ironkey.

2. Do all work on the removable drive.

3. Never cross a border with both the laptop and the removable drive. Ship out courier the drive separately and carry the laptop.

This way there is nothing on the laptop to be searched or seized.

Re:1, 2, 3

Can you trust couriers?

http://thecourier.com/national-news/2015/02/17/did-nsa-plant-spyware-in-computers-shipped-abroad/

Re:1, 2, 3

You can do all of that using Windows too, including a remote home folder.

Linux trolls are some of the most annoying. They claim superiority out of ignorance. At least the Windows trolls know they're trolling.

Re:1, 2, 3

what has point one got to do with anything? you can do that on any OS. It is also a really REALLY dumb idea as it just raises alarm bells when they are searching.

Re:1, 2, 3

> Do all work on the removable drive.
> ... Ship out courier the drive separately...

Do not allow the removable drive to be your only copy. Mail tampering happens.

Re:1, 2, 3

Going through customs with an Ironkey is like painting a big target on your back

There are limits

[FrozenGeek]

to what you can actually do.

You can hide files in a hidden container, you can encrypt files and give the key to someone in a different jurisdiction. But, in the end, if they have you and they have the computer, they will probably get what they want. We used to call it "rubber hose crypto".

If you don't have to bring the data with you, don't. Put the encrypted data somewhere in the cloud and pull it down when you need it. Then purge it from your computer.

SD cards are small and might pass if you are not subject to intense scrutiny. But if they are really looking at you, they will be found. If you don't have a lot of data, consider encrypting it and then use steganography to hide it in some of the files in you iPod.

Assuming you do not keep data on the computer, what you need to do is install apps that will:

• securely delete files
• securely clear swap space

Make sure to clear history, etc.

The best way to store data securely is in your own head.

Re:There are limits

Piece of cake: just put everything on MicroSD and "keister it"(like Will Ferrell in "Get Hard")! :)

Install Gentoo

[fredgiblet]

They won't be able to figure out how to make it work, so your data will be safe.

Re:Install Gentoo

[gweihir]

They will just lock you up a few weeks until their Gentoo-expert finds the time.

Re: How about this...

Heh heh. You said what if.

Remember the rubber hose attack

[jonbryce]

The Regulation of Investigatory Powers Act allows them to compel you to hand over any passwords or encryption keys needed to access the data.

Real advice that would piss off 3 letters....

You want to run gentoo hardened. Separate partition for /boot and use full disk encryption with cryptsetup. I'd recommend paranoid high iteration count and using serpent over the official AES. Think of a nice long sentence or two and type it out without using the space bar, then toss a real password at the end of around 10 characters minimum. Do not use USB thumb drives for the key, memorize it as I said above.

Use non-standard use flags and do not use any -O optimization level and opt for safer-but-slower code. Do not use hardware acceleration hooks for encryption, prefer slower software generation (less backdoors/issues from biased hardware). Do not run or use any remote admin tools such as SSH, or if you do generate 16384 bit diffie-hellman moduli on two different machines and use only the ones common in both outputted moduli as your real DH pairs in /etc/ssh/moduli.

Keep the system partition with disk encryption, separate from your small-as-possible directory where you keep the sensitive news items. Known plaintext attacks can assist breaking the encryption behind the system-partition since there's files that *must* contain certain content inside /etc and such. You want your documents to use a separate encrypted mountpoint and never copy any known things there and only put things you write inside that partition uncompressed (again known plaintext).

With the Gentoo hardened GRSec kernel, you will want to use the option to disable any USB devices added after boot as to prevent NSA USB Fobs from being inserted to do DMA-memory attacks. You will never use wireless, always opting for a physical cable. You will never use firewire/thunderbolt/sound and they should be missing from the machine or disabled. Remove the microphone from the system, keep the webcam and tape over it (later you can use it to shed encryption keys from memory upon seeing a fast moving blob approaching when agents raid.

You will never leave the machine out of your sight booted up with the encryption keys in memory. Upon leaving the machine, you should spray a light bit of silly-string over it and take a photo of the unique strands. When you come back compare it and if you spot any differences the machine was accessed while you were away.

Wrap the machine in RF shielding and when doing encryption, run other encryption of the same type in a loop before starting the real encryption to prevent side channel attacks against the Chinese Remainder Theorem (youtube this for a demo of snatching RSA keys over RF leaks).

Never type your password with a cellphone within hearing range or else the keys will be heard and deciphered that way. Put the cell phone in a box like the oven or microwave then go back and type your passwords. Once the setup is complete with the machine, you will never update it and do not use it to get online once setup. Go back to using CDROMs as the input medium and mount it readonly,noexec with the system encryption key unlocked but not the private directory. Reboot after using the CDROM and *then* unlock the private directory and move the files from the system directory over. This way any memory loading/stealing by a hijacked CDROM device won't be resident or have the ability to snag that coveted secret key.

I'd keep going, but I'm afraid I've already said too much...

Micro SD Chip.

Encrypt and swallow.

Securely erase laptop before returning to the country.

Present Trojan Horse Micro SD as your Data.

Re:Micro SD Chip.

Why swallow it? micro sd are SO small, you coulkd literally hide it in your hair up against you scalp. little gel to make sure the hair doesn't move. As long as they don't arrest you and shower you down shawshank style, your good to go.

Re:How about this...

[gweihir]

If you do not, then you are a "troublemaker" and will be treated just the same as a criminal. The police state is violently opposed to any and all resistance and the law does only support them, not you anymore.

Store SOME work data in the laptop

Put non-sensitive and fake-cover-story and other data you want them to see on the laptop.

For everything sensitive, see other suggestions above.

If possible, study memorization techniques and memorize what you can.

Re:Store SOME work data in the laptop

[overshoot]

Everyone should have at least a few files that are encrypted random bits. Big ones. Just to make sure that the snoops suffer for being dicks.

Re:Store SOME work data in the laptop

Everyone should have at least a few files that are encrypted random bits. Big ones. Just to make sure that the snoops suffer for being dicks.

Well, imagine that you are in a country where they can compel you to reveal keys. I could easily see them not being satisfied with any key provided if the real data was random bytes.

The best I can see is for everything everywhere that can possibly be encrypted to be encrypted. That way agencies have to at least target their resources to actual criminals. Sure secure methods of keeping files remote and such can be thought up, but if a 3 letter agency found a journalist using those kind of methods, well, they may very well devote more resources to investigate him and I'm not sure a good journalist can be very effective if his entire life is continually under a microscope. Of course if everyone used that level of security then it would be another matter.

Re:Store SOME work data in the laptop

[Zero__Kelvin]

"If possible, study memorization techniques and memorize what you can."

... if it is not possible for you to memorize what you can, you may suddenly have entered an alternate dimension.

Re:Store SOME work data in the laptop

[Chrontius]

Or, more likely, you're discovering that you bit off more than you can chew, and you're hoping the IRS doesn't want to see last year's tax records again.

Not possible

Most modern OSes (Windows, Android, Chrome, iOS, etc.) have all been specifically designed from the ground up to "leak" personal information and spy on the user. I have read articles that no matter what steps you take, you can only disable about 80% of Windows 10's spyware.

With that said, if the enemy has physical possession of the hardware there is very little that can be done. US police routinely torture people to get confessions and other information out of them, the UK have laws that will imprison you indefinitely until you divulge the passphrase, and most other countries police are even more barbaric.

All government spooks have backdoors into most modern ciphers via the NSA's contamination of the dual-elliptical curve libraries. They also have the computing power to brute force many of the older ciphers.

Re:Sigh

If the journalist has a home computer, suppose it was left on, with plenty of UPS protection, while the journalist was out of the country, with laptop? Then, shortly before travelling back to the home country, the journalist uses the laptop with Tor or some other secure protocol to upload/transfer critical data to the other computer. The laptop can then be TOTALLY erased --we know programs exist to do a thorough job of it-- such that a fundamental reinstall of all software would be needed, before it can get used again. The erased laptop is, of course, what would be handed over to customs ghouls.

Step by step instructions

[spiritplumber]

1) Make one of these: https://hackaday.com/2015/10/1...

2) Hand everything over. Warn the bad guys that if they try to use your USB stick, it'll fry their computer.

3) When they fry their computer, ask if they have learned their lesson about taking you on your word.

4) Be cooperative. You already won the battle of wits, be a gracious winner.

5) Your data was on your obscure self-hosted webserver elsewhere in the first place.

Re: Step by step instructions

Too bad that after step 3 you will now be a "saboteur" and they will execute you.

Re: Step by step instructions

Nah, they'll just torture you without charge for 15-20 years, then release you to a random country to commit suicide secondary to PTSD.

Re:Step by step instructions

[tommeke100]

Although all these things sound cool, that's a sure way to not get into the country and be charged with whatever they come up with ( destruction of government property, assault - 'cause if that can fry a computer ... , espionage, terrorism, ... ).
If you're on some list you basically already lost. You can play dumb if it's a random check, you boot up to some family pics and some pr0n in the browser history. But if you're a journalist suspected of having some shady contacts and information, you are the weak spot, not your laptop. Because they may not get the info out of the laptop, but they sure can get it out of you. And these guys have training and years of experience in interrogations, whereas it may be the first time the journalist or other is being questioned. They also have all the time in the world, while you may have some planes to catch.

Re:Step by step instructions

[bloodhawk]

The fact you think there can be a step 4 where you are the winner in this scenario is delusional at best. Only a few possible scenarios will happen here and NONE of them involve you winning.

best case, you will be refused entry to the country, have what is the equivalent of a criminal record for travel terms where you now have to declare that refusal of entry and be royally fucked for the next decade where most countries will refuse you a travel visa.

More likely, they believe you, check the device (believe it or not they do take threats of damage extremely seriously) and you are charged for carrying a device with the sole purpose of causing damage. worst case they don't believe you are you are charged with all of the above, plus damage, plus whatever else they can come up with. either way you are likely to spend a period of time in a nice comfy jail.
seriously the ONLY way to avoid exposing data is to not take it with you or any means to access it with it, in today's world that isn't even hard to do, your dumb idea ranks up there with others suggestions of encrypted drives (also a huge no no as you are then in a situation of being potentially forced to decrypt or be in breech of other laws).

Re:Step by step instructions

6) Remember to smile when you reconstruct all the data with broken kneecaps.

Re:Step by step instructions

3) When they fry their computer, ask if they have learned their lesson about taking you on your word.

The fact that thugs are confiscating your storage devices, reveals what value they place on your reputation and your word. Starting a pissing contest because of it won't help anybody, least of all, you.

Bragging you were carrying a(n) (electrical) weapon, won't end well for you: Them shooting themselves in the foot will be conveniently forgotten because you interfered in their investigation. Plus, you don't have a right to due process which leads your delusion of self-importance to a prison cell.

Say only it doesn't work, so there's no point taking it. (I'm assuming the charge cycle triggers device un-mounting.) When they fry their computer, claim it (obviously) never happened to you. Optionally, blame it on the last thug to perv on your storage devices.

TL;DR: If you're truly smarter than thugs with guns, you'll keep your mouth shut.

Re:Step by step instructions

What good is your data it when you are in Gitmo in an orange jump suit forever.

Re:Step by step instructions

More likely, they believe you, check the device (believe it or not they do take threats of damage extremely seriously) and you are charged for carrying a device with the sole purpose of causing damage.

Something about the right to "bear arms?" Yes, it is a destructive device. It is aimed at pickpockets who nick such things. And you said that before they tried, anyway. "A little prison time" should not scare a journalist.

Sometimes, you have to take the data with you. There may be no internet, or it may be seriously compromised or too slow for uploading video/photos.

So you may have to bring your data through customs yourself. So combine every technique:
The laptop is full of boring press stuff and perhaps some porn. Gives them something to work on. Your real stuff is in on a microSD hidden inside a usb memory that has more "boring press stuff" that is a bit newer, and some porn that is a bit more interesting. The microSD won't look suspicious on an xray, but if they find it anyway: it seems to merely have some mildly offensive notes about "people on the streets dislike the great leader. Nobody wants to state their name..." Adapt this for whatever oppressive government they have. The real stuff is of course hidden, first by encryption and then steganography - stuffed into the least significant bits of some "more interesting porn", stored on a separate (deleted) partition using an obscure filesystem.

Yes, you can have extra partitions on a microSD - nobody does it because windows & cameraphones ignores it. Especially if the extra partition is deleted and only looks like a little extra space anyway. You restore the paritition table before using. If they use windows, they see nothing at all. If they scan the "free space" thoroughly, they merely find the hidden porn. Make it something embarassing that seems more worth hiding than the regular porn, so they understand why you hid it so well. If the unlikely happens and they actually find it.

Most will just copy the regular porn and perhaps waste time on it, lowering the chance of finding anything else. Perhaps they also bother with deleting and/or archiving the "mild government--criticism" that seems to be your secret journalistic stuff. Also, some of these people think they have done their job well as soon as they have caused you "some trouble". So your luggage should also contain some nice stealable stuff - such as booze and some cash.

NBD Raid striping across could and local drive

its the only way to be sure

Network Block Device - Cloud RAID

Use a Cloud RAID or USB stick as part of a RAID striping procedure to distribute part of a disk volume both on an off the laptop.

That way to reassemble the pieces you have to have all of the components.

A password or decryption key is sort of the same idea.. except it torpedos assurances that all of the bits cannot be rearranged to be read.

You can't read what isn't physically on the laptop in total, if its striped and then encrypted,, it will practically be airgapped

You may be compelled to decrypt it anyway

[gotribal]

Back when I was at Kazaa many years ago, I kept all my files in a BestCrypt-encrypted drive, and all sensitive emails were PGP-encrypted. I was feeling pleased - if anyone got hold of my computer, there was nothing to see. But then one day our office was raided in a search discovery order, and all that time spent encrypting things came to naught, if I refused to hand over anything it would have been contempt of court. And so I printed out thousands of emails in one long continuous unformatted strip... that was about as far as I could go. I did consider that I could have gone one step further and used BestCrypt's feature that lets you create an encrypted drive that's actually two partitions - give out one key and all you see is nice set of clean files, plus a whole lot of random bytes. It's something to consider, but you're living dangerously if it's a court order. BTW, there's discussion here about keeping data in the cloud - another tempting option. Broadly the law can compel you to hand over any data "In your control or possession", where possession is defined as including the means to retrieve remote data. So there would need to be zero knowledge of having that remote data at all. Just sayin'

Re:You may be compelled to decrypt it anyway

Civil litigation may be different from criminal in this case.

Courts are split on the password issue, over fifth amendment issues. While that may only affect criminal cases, an argument might be made even in civil cases (or criminal cases targeted at someone else) for the possibility of criminal action later.

But as always, if you want to consider that option, you'd be best served lawyering up first.

Re:You may be compelled to decrypt it anyway

There's another option: Have a retention policy and delete the things you don't need. Did you really need to keep all of those emails? You may have, but I think that many of us have a tendency to keep too many things around on our computers either out of laziness or the idea that we might need it in the future when we really won't.

Re:You may be compelled to decrypt it anyway

"Broadly the law can compel you to hand over any data "In your control or possession""

  - So a multisig key where it takes two to decrypt the data?

Store nothing

[folderol]

The parent organisation should maintain a networked data store that all it's reporters have a write only password for.
Data is then sent via ssl. No other encryption software of any kind on the laptop.
Absolute minimum of services and a tiny hard drive, with no swap file/partition.
Reporters should only use a plain, single view, text editor that doesn't store parts of a working document to file, and can be made to direct send the data without ever touching the hard drive.

Two Man Control

[tengu1sd]

And for the politically correct, social just warriors, etc. .. man in the sense of person

You carry a laptop, you carry a live boot USB stick/CD, You carry encrypted media, possibly the same as a boot USB. Your counterpart, possibly in another country, carries the decryption key. You carry his decryption key. Never cross an international border together.

Re:Two Man Control

And in several countries you would go straight to jail for not providing the decryption key, just saying.

These suggestions all suck, IMHO.

[Type44Q]

Personally, I'd perform a persistent install [of the distro of your choice] to a bootable MicroSD card. You can not only boot it up on virtually any PC, there are myriad ways you can throw them off or just plain fuck with them. Hell, really mess with their heads and lug around a laptop with Win9x on it (you don't even need all the drivers; present 'em with one huge fucking list of yellow exclamation marks in Device Manager!).

The bootable MicroSD card you can hide almost anywhere (up your nose, in a slit cut in the sole of your shoe, etc etc).

Stupid question

1) Use a Chromebook burner running Chrubuntu
2) Setup an OpenVPN server on your home LAN
3) Setup a Virtual Machine on home computer with TrueCrypt encrypted virtual hard disk(Truecrype will handle all of the plausible deniability/FDE stuff)
4) Use X11 forwarding to run the virtual machine on your laptop through the VPN tunnel. Only rendering is handled locally with no persistence for forensics.

If you want to get extra fancy, do some sort of "partial hangout" with an encrypted SD card running Chrubuntu and then setup a second duress VPN to a Raspberry Pi porn server with lots of Gay porn/Big Tits/Anime Tentacles/etc.

If you don't save the OpenVPN connection information between boots then there is no way for them to use a rubber hose to get your VPN/home workstation password.

That's why this is a stupid question: all of this is hard work and the questioner clearly has no idea what they're doing and doesn't want to do the work to figure it out themselves. If they can't be bothered to do their own research, they certainly aren't going to do the work to secure their shit against APT attackers(IE. Corporation Backed LEO).

Can I instead recommend a flashdrive with teamviewer portable on it as an 80% solution?

Re:Stupid question

While having your sensitive data decrypted on a system you should in no way or form be connected to a network..

Live CD OS and cloud storage

Use a live CD OS (knoppix or similar) for security critical work, and store all data in the cloud or in storage that you arrange through a hosting provider. The non-secure data is present and nothing seems off.

There is no data or signs of data stored on the drive. There is no data on your person/in your luggage on thumb drives. There is no browser history to lead to the data.

Re: Sigh

Or just toss the $50 drive in the trash after a basic erase. Plug in a new one before the trip home.

easy

[Anne+Thwacks]

Zip the relevant files, and then change the extension to .odt When people cant read them, they will blame Microsoft! (Or use bzip, or compress or even IBM Squoze)

What about truecrypt?

What, no one uses truecrypt anymore? Just run an older os that truecrypt supports. Government shut down truecrypt because they hated it, so that should be a good recommendation. You can still find copies banging around out there.

Guns Are Safe

Store the data in an encrypted micro SD hidden within your firearm. You know, that flare gun you store with your cameras so you can lock them with locks not pickable by the TSA. And if someone steals the luggage, you get instant attention when you tell security someone stole your gun.

However, the best way is not having any information that matters if someone found it. Don't be stupid enough to write down contact details or locations. Memorize them. Don't travel with anything explicit. Do you really need to masturbate that much to risk your life? Your company should already have guidelines and practices in place for transferring sensitive materials, or are you just claiming to be a journalist because you have a blog?

I have an idea

Encrypt the hard drive, store the key on a USB drive.
Mail the drive out of the country. Separately mail the USB drive somewhere else.

Take the laptop with no hard drive through customs.

If you're asked where the hard drive is, tell the truth. You've already sent it to your destination and you're a journalist.

Anything they want is already out of the country before you were asked about it, so no crime has been committed.

If customs open either package, they can't do anything with out both of them.

security tin a box

[belmolis]

These folks provide advice for human rights activists who want to stay safe and protect their sources from nasty governments: Security in a Box.

micro sd

[luther349]

run a parasent Linux distro like puppy on a micro sd as the entire os is stored in ram. save you data to the sd card they can be easily hidden or destroyed. now the fun part encrypt your entire harddisk with windows on it to make them think your hiding something then make them wast there time getting a court order to hand over the key just to find nothing.

Camera and SD card

[scollard]

Buy a camera that uses dual SD cards, like a Nikon D7000, and keep the card in the camera when moving through security. Store your computer data on one of the SD cards in an encrypted hidden file. Make sure you take lots of pictures and have the camera set to use the cards in mirror mode. No security people will image a camera card. At best they look at all the pictures using the camera. If they do image the card, highly unlikely, all they can find is a hidden encrypted file that you just deny any knowledge of.

Re:Camera and SD card

[Fnord666]

No security people will image a camera card. At best they look at all the pictures using the camera.

If you are an average person then maybe. If you are a "person of interest" then they will image anything you have that they find. Relying on something this arbitrary seems like a really bad idea.

In the UK, you are SOL

In the UK , there is no bill of rights, and your protections as an individual are much weaker.

Protection from self incrimination does not exist universally, and for a range of offenses you are legally required to answer, even if it is self incriminating (and can be jailed for contempt of court for not answering).

You can be compelled, at pain of imprisonment to unlock/decrypt anything at the border.

So...

That means you should not have the data or they keys to the data with you when you cross the border.

Best interim solution:

iPad with TouchID and a complex passcode, and set the self-wipe to 3 incorrect attempts. Turn it off prior to entering the controlled area.

If you get searched, boot it and fumble the password.

Make it clear you store nothing

If there is even the hint you are doing something funny, in many countries that means jail time until you give them what they want. Good luck convincing them its not there, or you dont have the key.

Make the computer a simple 'terminal': "i'm sorry there is no data on here at all, but you are welcome to keep my machine to look as much as you like". "its company policy not to store data, it wasn't my idea"

Remote LUKS header

Can't you just encrypt a drive using LUKS and use a remote LUKS header?

Someone could then destroy the header it if they don't hear from you, or you could set it to auto-destruct if you don't log in to some service ... (not sure if there would be a convenient way to do this)

This way not even you would be able to decrypt your files.

But a question, would you still get arrested?

VPN + RDP

[EmagGeek]

Easy. Don't do anything - and I mean ANYTHING - locally on your laptop. Use it as a glorified VPN and Remote Desktop/VNC Client to a PC safely behind your employer's firewall, or at a hosting provider that is in a country with good privacy protections.

Full Disk Encryption

[SwashbucklingCowboy]

With a really long passphrase with weird characters. They'll spend the rest of the natural lives waiting for it to be cracked.

Re: Full Disk Encryption

No, they'll order you to reveal the password (after imaging the drive, so you can't try any stupid tricks that only work in movies) and if you refuse, you'll end up in jail. You can't win.

Suicidal.

[westlake]

Survival 101.

Pissing off the border guard.

How the story ends if you "Ask Slashdot."

2) Hand everything over. Warn the bad guys that if they try to use your USB stick, it'll fry their computer.
3) When they fry their computer, ask if they have learned their lesson about taking you on your word.
4) Be cooperative. You already won the battle of wits, be a gracious winner.

How the story ends in the cinematic world.

[Anonymous basement interrogation room]

Wake up! I need you to be focused!
You either give me what I need or this switch will stay on until they turn the power off for lack of payment on the bill.

Which do you think cuts closer to the truth?

Clear Out Files You Do Not Want Exposed

[DERoss]

1. Backup the data files to a single backup file.

  2. Encrypt the backup file using an OpenPGP application (e.g., PGP, Gnu Privacy Guard). Software should not have sensitive data so it does not need to be encrypted.

3. Upload the encrypted backup file to a cloud service whose servers are in a nation that will not respond to a police warrant from the nation whose police worry you.

4. Use a strong eraser application to erase the original files, the backup file, and the encrypted backup file on the laptop.

Let's do the math!

Project Gutenberg has 50,000 books. Each book as 100,000 words.
Each word can be the starting point for 5 keys (5 to 10 words long).
That's 25,000,000,000 keys. Roughly a 34 bit keyspace. Not really
all that great, IF they know that's the algorithm you used to choose
the key. If you drop the e's and they don't know, then their brute
force attack won't work.

Re:Let's do the math!

[AK+Marc]

Then pick a book that isn't English. "Whan that Aprill, with his shoures soote The droghte of March hath perced to the roote" or one that wouldn't be there if they did a Gutenberg match. When it's an all books ever written (like a translation of an Agatha Christie into Spanish I have laying around, or a variety of text books that weren't popular), then it'd be nearly impossible for someone to match it.

Or the words on a Magic The Gathering card.

The entropy is much higher than you'd think. They'd have to know specifically what you used to have a chance, and at that point, they'd essentially have your key anyway. It might be harder to find the edition. But then, http://www.amazon.com/Fundamen... so you can get the e-book whenever wherever you want. Bought, but not on your laptop, read online only, and that's a book with versions, so when they get into searching every textbook every printed, in all editions (including teacher editions), the entropy increases greatly.

Get creative. Get weird. Because they'll not know exactly how you got your key, the keyspace is effectively infinite, even if the keyspace is only 34 bit, if they have your generation algorithm.

Re:Let's do the math!

an Agatha Christie into Spanish I have laying around

Bad choice as well, because you have far fewer books than Project Gutenberg. There are at most a few dozen million words in the books on your bookshelf. Five to ten consecutive words from those books is a very small key space.

the keyspace is effectively infinite, even if the keyspace is only 34 bit

Uuh, yeah, no. 34 bit is not infinite, and they need no further clue to narrow it down: That's small enough to brute force in no time.

Re:Let's do the math!

[AK+Marc]

But the keyspace isn't limited to my bookshelf, but to all books ever printed in all editions, as I could get any one of those tomorrow for my key. It's an infininte keyspace, with a limited lookup table.

Guilt.

[jondeanmack]

Oh come on people (including the police), please stop making out that you've got something on a laptop that belongs to you.

Run "confidential" stuff from a ramdrive

See subject: NOT an SSD, but a software ramdisk - that is, If you want things disposed of as well as possible as in "poof it's gone", that's as good as you get instantly @ powerdown - & the b.s. about being able to retrieve data from system RAM once it's powered out is about as reliable as harddisk data recovery services.

* Anyone else want to 'chime in' & correct me, FEEL FREE to do so - I may learn something.

(That's as good as I can suggest - but, the data should be mirrored IF you require saves... that's a weak point in & of itself, much like power being continuous is, but that's the breaks + rules of physics...)

APK

P.S.=> Fucking shame that those that help keep society in check (and yes, conversely ruin it as tools of the "powers that be" for things like character assasination etc. - most of those 'powers that be' are FUBAR'd to hell - my evidence/proof thereof? Hey - Look hard @ the results they're producing out there now today especially & their underlying motivations (most importantly), is all I have to say to that & to any 'naysayers' paid off trolls/shills who don't like it) have to do this, but, there ya go... apk

Re: How about this...

[slasher999]

I believe you are missing my point here as it appears others may have as well since I've been modded as a troll and someone else posted the "don't talk to police" thing. There is a difference between being polite and cooperative - good things - and volunteering information expecting the police to simply send you on your way, which can happen but is highly unlikely. I'm advocating the former. As in most aspects of life 'polite and cooperative' is generally the best policy, at least at the beginning of any conversation with authority.

NOT this one... apk

http://yro.slashdot.org/commen...

* :)

APK

P.S.=> Sound off on it if you wish - but I ask that you do it there, not here (thanks)... apk

Chromebook - two accounts - powerwash

[sl149q]

If you have a Chromebook, have a separate gmail account that looks active (subscribe to some innocuous mailing lists.)

Prior to border simply powerwash the Chromebook and login with the clean account. Nothing to see here officer. The password is 1234.

After you get home, login with your normal account.

Re: How about this...

[slasher999]

Confronting the police by breaking laws in order to protest the laws is, at least in the US, a pointless excercise as the policy neither make the laws nor do they judge whether the laws are fair or even legal. The job of the police is to simple enforce laws that have been made. That is as true today as it was 50 years ago.

Re: How about this...

[slasher999]

Boy I should have proof read that before posting. Several misspellings, but I believe you can get my point.

Don't you can be detained, use remote connections

[RichMan]

Many countries in the world require the ability to search computers brought across the border. You can be detained if you fail to provide access such as passwords.
Do not take precious data with you. Leave the data safely at home and connect securely.
Use secure cloud storage or even secure storage back at home base and connect using a secure VPN.

step 1: encrypt, step 2: turn it off

Confused... is disk encryption not cool?

Re: step 1: encrypt, step 2: turn it off

or... just use tor, and don't write to your disk, don't leave stuff in memory (should be ok if you just turn it off.. but there has been researchers that have been able to read the last written stuff... so im guessing there is a program out there that will write garbage to memory.. if youre paranoid) re image if they touch it, just in case they leave a present.

easy

Get some clunker laptop and pull the hard drive out of it. Build a bootable Linux CD/DVD with team viewer on it. Don't save any passwords IDs, etc. to it. When you're in the field, fire up team viewer to a machine that is safely at home. Work. When done power the machine down. Toss DVD before going to the airport, or keep it if you like to live dangerously. Cops snatch the laptop, has no hard drive they will have 20 questions for you, and they will ask them in a way that usually involving bright white lights, waterboarding, etc. but they will not have your data.

Is Slashdot the howto for evading law enforcement

Are the answers to this question any different than if the question was "How do I keep the police from finding my child pornography and videos of the women I've murdered and eaten?"

Re: How about this...

It's not entirely pointless. In the US, courts have this sorry attitude that you have to have been 'harmed' by a law in order to challenge it. In many cases, that means actually being arrested.

So Congress passes a blatantly unconstitutional law like they always do. Let's say it makes something you like to do illegal. So you stop doing it, or you hide that you do it, or whatever. To me and most thinking people, you've been harmed by the law. But the courts won't hear your case until you get arrested for whatever it is.

The US needs something like France has, where there's a court to throw out unconstitutional laws before they get used. Either that or our judges need to get their heads out of their asses and realize how the world works for real.

Re: How about this...

[arth1]

As in most aspects of life 'polite and cooperative' is generally the best policy, at least at the beginning of any conversation with authority.

Polite and cooperative does not include volunteering anything. Law enforcement employees are not your friends, and will use anything you give them against you in any way they can.
So, yes, cooperate, and be polite, but don't think for a minute that they'll reward you in a positive way for anything you volunteer.

Be especially wary about promises of immunity for testifying as a witness. Unless it's a full immunity in perpetuity (which is rarely given), they can demand that you incriminate yourself and waive your fifth because you have "immunity". Then they turn around and gather evidence for a crime they knew nothing about before, and nail you. They can't use your testimony against you, but they can and will use it as a basis for discovering other evidence.
So don't volunteer anything if you have anything to hide. Not even anything unrelated to what you have to hide.

And quite frankly, who can say with certainty that they have never broken a law - wittingly or unwittingly? In the eye of the cops, prosecutors and judges, everybody is guilty of something. And they are probably right.

How about transporting data in a diplomatic pouch

[Streetlight]

Put your encrypted computer or data store in a diplomatic bag for transport across borders. This may require having diplomat friends at both ends of the chain. Then again, friendly countries may be glad to help if they suspect you might embarrass an enemy.

Re:How about transporting data in a diplomatic pou

[AHuxley]

Even thats getting tricky. In the old days that was a perfect method. But with diplomatic protection now been confused with local embassy staff any convention on is getting weak. A person can claim to be, show id, seek protections but might have already been searched and had data cloned.
Later nice comments about "intake procedures" "arrest" and "appropriate procedures" will be released to the press ie the full diplomatic immunity part vs consular immunity was not found until well after the search ;)

BBC

"In the light of the British police's seizure of a BBC laptop what is the right configuration and practices to ensure that such a seizure provides zero information to the cops?"

BBC should have a BBC-owned drop server, synchole only, where theyr reporters can write/drop data but never read from. User-GUID based acces for in-house peoples, anonymous for wistle-blowers.

BBC reporters should use diskless laptops, booting from a BBC made CD, with an BBC personalized OS. This way, the corporation entierly controls the dataflow.

This way of functioning guarantees the reporter's integrity, any "wrong-doings" by the company employees, in the name of the company, should be handled by the justice departament directly with the company. We are BBC, we have sent the reporter do work for us, the info he retrieved is ours. Have problems with the data? Should see that with us, leave the poor guy alone, he's only trying his best at doing his job (and has a ridiculous small remuneration for the riscs he assumes).

Passphrase from a famous book

[hankwang]

The keyspace is only large if the attacker doesn't know or suspect how your password is constructed. Otherwise: 10^3 possible famous books, 10^5 words (starting positions) per book, 5 possible key lengths, 2 for with/without spaces. This gives you a key space of 10^9 that can easily be brute-forced.

And if they/NSA see you look up the book on your browser, you're definitely done.

Re:Passphrase from a famous book

[Zero__Kelvin]

I don't think you are understanding this but maybe I am wrong. In your , how many keys are in a sinmindgle book?

Re:Passphrase from a famous book

[hankwang]

A single book has 10^5 words. The passphrase is a sequence of 5 consecutive words from the book, so there are (10^5 - 5) possible 5-word passphrases that you can draw from this book. Much less if passphrases must start after a period/comma/semicolon/etc. A bit more if you also allow 4- or 6-word pasphrases. Much less than if you draw 5 random words from a dictionary or book, but that's much more difficult to remember (at least, I won't remember tens of correct-battery-horse-staple passphrases).

Re:How about this...

[AK+Marc]

NAZI is a flawed english transliteration of NSDAP National Socialist German Workers' Party. A socialist workers party isn't a "bad thing" and most people didn't notice it was not a worker's party, nor socialist until it was too late. I have no idea what the UK party was like at the time, but I'd guess they were more like the theoretical ideals, not the "kill all Jews" party. But maybe they were.

The NAZI party was a German nationalist party, why would there be so many German nationalists in the UK?

Re:How about this...

[Barny]

I don't know what I expected. Clicking random youtube links on slashdot is like playing russian roulette with your mood.

About halfway through the first video, very very interesting stuff.

self encrypting drive

[Spazmania]

You guys are aware that self encrypting drives have been readily available for a decade now, right? The bios detects that the drive requires a password and asks for it at book. The password unlocks an internal key used to encrypt the drive. Unless the adversary manages to capture laptop while it's on or in standby, no password = no data.

Re:self encrypting drive

[nospam007]

"You guys are aware that self encrypting drives have been readily available for a decade now, right?"

Yes, and every week there's an article here saying that these suck and that their encryption can be easily broken or circumvented.

Re:self encrypting drive

Or even if it can't be directly broken or circumvented just flash a new firmware for the disk that will install some malware on the system at a later stage when the user has actually entered the password..

Best security-practice is that nothing sensitive (code or data) should ever leave the CPU, but since most CPU's don't support ram-encryption or being able to validate that the BIOS has not been tampered with it's quite hard..

- Software encrypted harddrive:
Encrypting all data being written to the harddrive in software within the CPU (embedded keys in the CPU would be nice, programmable keys of course)..

Fixes: Injecting code/data into a system at a later stage - http://www.wired.com/2015/02/n...

- Encrypted/Obfuscated RAM
Each boot the CPU would generate a random key the RAM would be encrypted with. To obfuscate it a bit more randomizing the layout (4k blocks or so) would make it a bit harder to break. Each 4k page would be encrypted with a sha256 of key + page-id.

Fixes: Dumping the RAM of a running system - http://www.zdnet.com/article/c...

- Encrypted+signed firmware.
All firmware's (BIOS or even the internal USB connected camera) should be encrypted and signed.

Fixes: Injecting code/data into a system at a later stage - http://www.wired.com/2015/03/r...

- After resume all insecure ports (thunderbolt, usb-ports(?), networking) that could potentially be used to compromise the system should be disabled until after the user has authenticated.

Fixes: Injecting code/data into a running system
https://trmm.net/Thunderstrike
https://en.wikipedia.org/wiki/...

Disclamer : Links are from the first page of a google-search.. Have not been read by me.. If they contain bad info please research the issue yourself.

-

Re:self encrypting drive

[Spazmania]

There are FIPS-140 drives whose encryption has been demonstrated to not suck.

As for the ones which do suck... invariable a USB drive or thumb drive. Not an internal laptop hard drive. Read carefully.

I'll continue to use TrueCrypt, thank you.

nt

Re:I'll continue to use TrueCrypt, thank you.

[monkeyzoo]

Thank you for exposing a privilege escalation backdoor to your system through the TrueCrypt driver.

Re: How about this...

That was in the '60s. Today Rosa Parks wpuld be shot for "appearing threatening", Martin Luther King would be character-assassinated and then killed, Malcolm X deported to Gitmo and any civil rights march bombed by drones.

Ask Slashdot

[Fnord666]

Timothy - Any chance you could post "Ask Slashdot" stories to the "Ask Slashdot" section of the site? It exists for that very reason you know.

Re:Sigh

Encrypted IronKey. If it is tampered with, it will self-destruct.

truecrypt container in a hidden folder

If the journalist use a truecrypt container in a unusual folder (in the program file folder of an uncommon program with a .DAT extension for example). The computer can be taken, the police won't find evidence. In some countries you must provide the key to decrypt so a full encryption will be suspicious. So hide in the crowd.

The way to do it is online

You are just going to have to find it yourself. There will be no answers on "ask /."

Simple solution

You all are missing the point. There is a simple solution that requires no technology.

Don't talk or work with terrorist.

Re:Simple solution

[gabrieltss]

Except everyone is considered a terrorist in the governments eyes. So we are all F***ed!

I like this, but who needs a hard drive?

A Linux Bootable USB can store the operating system in a read only state. A lot of distros have a boot flag that allows you to load the entire OS and system files to RAM. Insert USB, boot to USB, remove USB... do your dirty work... submit all information to your remote write only server. Memorize the IP/user/pass of that server instead of putting it on the USB.

Once the laptop is turned off, your RAM is wiped and the system is cleaner than any z-fill could ever accomplish and your bootable USB only has an innocent install of Ubuntu.

In retrospect, there's no reason you can't make the harddrive read only and boot to RAM that way for convenience.

Macs are pretty secure

[chriswaco]

Turn on FileVault to encrypt the drive. Set a firmware password. Make sure there are no guest accounts. See https://support.apple.com/kb/P... and https://support.apple.com/en-u... . Turn off iCloud and don't enter an AppleID. Use an encrypted text editor on top of this with a 3rd password. This won't stop the NSA, but will stop most hack attempts. Putting documents on an encrypted SD card is not a bad idea.

Re:Macs are pretty secure

absolutely fucking aweful advise. You will only prolong the pain and end up spending time detained, refused entry to the country or simply have to hand over your keys anyway. It isn't hard. DON'T TAKE THE FUCKING DATA WITH YOU. in today's world remotely accessing a machine via an encrypted tunnel is easy, there is no need to be carrying data with you through areas that may wish to detain you and view it.

Impossible in the UK

With the new powers being asked by the terrorist Theresa May, there's no need to even look at a person's laptop or data, they simply go to the ISP, Google, and Facebook for all your data and associates and browsing history.
Forget Tor, it's full of spying nodes setup by GCHQ and NSA.

Unless you're using end-to-end encryption like Apple's iMessage or Pidgin for transferring all your data and comms, it's simply not possible to not leak any information over the air, either through Tor or by going directly through your ISP.

is the just a window problem

[skelley]

using a mac+filevault2+bootprom password should cover you

Re: Securing your laptop? Only one way... VeraCryp

[monkeyzoo]

VeraCrypt whole disk encryption. (Successor to TrueCrypt.) Duh!
Make sure it's powered off when you're traveling, and avoid malware infection. Then, you're all good.

If you're worried about compulsory password requests, then things get a bit more complicated. You can use the plausible deniability feature of VeraCrypt to accomplish this, but deniability also requires rigorous adherence to modified computing practices.

The holy trinity of the new economy

[smugfunt]

To prevent the collapse of Western Civilization due to complete automation and unfettered rent-seeking we need to institute these three policies:

Universal Basic Income which will replace most forms of welfare. However, this will not work without...

Land Value Tax based on the rental value of land not including any improvements. This will replace most other forms of taxation. For this to have the desired effect we also need...

Full Reserve Banking which will remove the ability of banks to create money and then charge interest on it.

Private natural monopolies and every other form of rent extraction must be hunted down and neutralised.

If we don't do these things the booms and busts will continue to ratchet up wealth inequality until the economy collapses and the peasants revolt.

secure cloud storage?

secure cloud storage?
Seriously? Were you drunk when you wrote that?

Re: Sigh

Hidden dead man's switch. If a certain code isn't entered at every power up/login and say every couple hours, have the device silently overwrite the files with random garbage (a couple times for mechanical hard drives, maybe just once for SSD). There should be no prompt all except maybe a very soft tone or sound effect for when it is time to enter the code. Make sure it is entered like a cheat code (holding down control and a keying in a sequence of letters). Probaly have the prog rename all files to something non suspicious but would have justification for this type of security (maybe like ::your name:: tax return.xls or something) prior to delete/scrub and even delete/wipe the prog itself (these are just ideas. precice implimentation left up to reader's best judgement). Of course, you may have to code this or have someone code it for you scince this may not have been written yet. Oh, MAKE SURE ALL FILES INCLUDING SWAP AND TEMP FILES ARE SCRUBBED TOO AS THESE CAN STILL CONTAIN INCRIMINATING DATA.

Re: Sigh

it might be a good idea to have decoy files as well that read like something they would expect, but have nothing incriminating. Make sure you create/modify these before or after the "sensitive" files and update them along with the sensitive ones so the dates (and content) don't seem suspicious.

idiom

If your having to do all that then wat-eva your doing is against the law. If your going to be breaking the law then I cannot help you. Criminals!! I have not heard of more then maybe 5 real true Hero Journalists these days the remaining are just not being true to the people.

Re: Sigh

oh one more thing: make sure you change the time/date stamp of the sensitive/"suspicious" files so they are NOT the same or close to the decoy files!

Re:How about this...

Meh.

~
give weapon_shotgun
*BOOM HEADSHOT*

When in doubt, cheat.

I've got an idea...

Stop breaking the law assholes.

Simple Solution

Just stand up... your laptop goes away.

Don't take a laptop

[sjames]

Don't take a laptop, just an install DVD. When you arrive, pick up your pre-arranged rental laptop and install your image from the DVD. Use that to download the rest from home. Then work normally.

When you're ready to leave, upload everything over the net and use the DVD as a rescue boot so you can wipe the drives. Return the laptop and shred the DVD.

EFS? Really?

[BrianMahoney1357]

I would strongly suspect that EFS has have a backdoor that Microsoft would give up immediately upon request. Same for any and all cloud storage. Also, Windows 10 is offered for free which means that someone else is paying Microsoft for the data that this OS collects by default. It's like "Here, take this free stuff so we can keep track of everything you do." Has Microsoft ever given away anything for free? Not that I can remember.

Dead man's switch and decoy files

Hidden dead man's switch. If a certain code isn't entered at every power up/login and say every couple hours, have the device silently overwrite the files with random garbage (a couple times for mechanical hard drives, maybe just once for SSD). There should be no prompt all except maybe a very soft tone or sound effect for when it is time to enter the code. Make sure it is entered like a cheat code (holding down control and a keying in a sequence of letters). Probaly have the prog rename all files to something non suspicious but would have justification for this type of security (maybe like ::your name:: tax return.xls or something) prior to delete/scrub and even delete/wipe the prog itself (these are just ideas. precice implimentation left up to reader's best judgement). Of course, you may have to code this or have someone code it for you scince this may not have been written yet. Oh, MAKE SURE ALL FILES INCLUDING SWAP AND TEMP FILES ARE SCRUBBED TOO AS THESE CAN STILL CONTAIN INCRIMINATING DATA.

it might be a good idea to have decoy files as well that read like something they would expect, but have nothing incriminating. Make sure you create/modify these before or after the "sensitive" files and update them along with the sensitive ones so the dates (and content) don't seem suspicious.

oh one more thing: make sure you change the time/date stamp of the (to be) deleted files so they are NOT the same or close to the decoy files!

You may be fucked if the seizure happens without w

If the po seizes your laptop at the airport, how are you going to destroy it? Better find someway to encrypt and/or arrange to have the data destroyed somehow after it is seized and out of control.

(of course, they can remove the drive and read it on another system, or use a very reliable and inexpensive decryption method that involves a claw hammer/pliers and your exremities/fingernails and/or threats of prison torture and rape, or have you disappeared forever if you successfuly have the data automaticaly destroyed. You are most likely fucked in this situation no matter how you slice it)

If they seize your laptop without warning, you are

They can remove the drive and read it on another system, or use a very reliable and inexpensive decryption method that involves a claw hammer/pliers and your extremities/fingernails and/or threats of prison torture and rape, or have you disappeared forever if you successfuly have the data automaticaly destroyed. You are most likely fucked in this situation no matter how you slice it.

Re: Encrypt drives?

Best I have heard of is / was PGP
http://buy.symantec.com/estore/clp/smb_d4v2_9p9s_pgpencryption1_default

Obligatory (and not at all funny) xkcd...

[rocket+rancher]

the weakest link in any security system is the flesh and blood one...

Re:How about this...

[david_thornley]

Actually, Nazi was a derogative nickname for the party (there was a comparable nickname, Sozi, for a left-wing party). It was used in Germany, but not by Nazis, who always used "National Socialist". I would suspect it was a lot less used after 1933.

In the UK? Not much, legally.

[StikyPad]

The UK can compel disclosure of a password, with up to 2 years in jail for simply refusing to comply.

https://en.wikipedia.org/wiki/...

TrueCrypt could provide plausible deniability in theory, but the difference between theory and reality is often smaller in theory than in reality.

Re: Securing your laptop? Only one way... VeraCryp

[pnutjam]

Just load your laptop like usual, and run your vm from inside an encrypted veracrypt folder. Put another vm with some games (so you have a reason to have the vm host running). Most investigators won't spot the vm's, most of the ones that do, won't spot the encrypted ones. The ones that do spot the encrypted one, won't be able to get into it.

Re: Securing your laptop? Only one way... VeraCryp

[monkeyzoo]

I wouldn't do that without also encrypting the host OS's whole disk with VeraCrypt in case the passwords leak out of RAM onto disk unencrypted.

Re: Securing your laptop? Only one way... VeraCryp

[pnutjam]

I would say that's unnecessary for 99% of use cases, and defeats the purpose.

Re: How about this...

...the police neither make the laws nor do they judge whether the laws are fair or even legal. The job of the police is to simply enforce laws that have been made. That is as true today as it was 50 years ago.

That's never been true.

The US Bill of Rights is open-ended. James Madison deliberately made it that way. It provides for unspecified rights retained by the people (9th Amendment), and unspecified right reserved to the people (10th Amendment).

These rights, like everything else not specifically limited to Congress, apply to the state and local governments as well as to the federal government. That would follow simply as a consequence of the right to ethical practice of law (certainly an universal and inalienable right), and it also follows from Madison's original text of the Bill of Rights.

In short, the police are required, by the highest law in the land, to recognize that individuals have rights that go beyond the actions and decisions of executive, legislative and judicial bodies. In short, individual responsibility is enshrined in the highest law of the law, which every police officer swears an oath to uphold, as a precondition for holding that office. That oath is binding on their actions, every minute of every day.

Strange you should mention 50 years ago, since that's about when some significant events happened at a place called Nuremberg. There a number of Germans claimed that it wasn't their duty to judge whether the laws compelling their obedience were ethical, legal, or moral.

This defense was rejected. US police officers who refuse to act responsibly with respect to illegal laws (of which the USA has a plethora) are in the wrong, ethically, legally, and morally, just as those Germans were.

You may be confused by the fact that you don't often see this happening. That should not be taken as an indication of what the police should be doing, but rather tells us how badly some police officers are doing their jobs. Also, when police officers do the right thing (and some do understand these issues), it doesn't make the news, so we don't hear about.

There is sometimes a big difference between what the law says, and how things work in practice, in large part due to ethics problems within the profession of law. The US legal profession has a vested interest in not recognizing the authority of the 9th Amendment, leading to many failures of integrity, and lots of illegal laws, illegal court orders, illegal executive order, and illegal precedents.

These failures of integrity on the part of the legal profession do not in any way relieve the police officers of their responsibility to do the right thing.

Further, if you don't see the police doing the right thing, it means the police are breaking the law.

This happens a lot.

It's no different now than it was during the "Jim Crow" era, when incompetent or amoral or incompetent police officers chose to enforce blatantly illegal laws (which the Jim Crow laws certainly were). After a while, that kind of thing becomes a norm, as people make assumptions about what is acceptable based on what they see others doing, which is why having a poorly educated police force is a very bad thing for a society.

Re: Securing your laptop? Only one way... VeraCryp

[monkeyzoo]

I would say that's unnecessary for 99% of use cases, and defeats the purpose.

Hi pnutjam. That was my thought about the VM solution actually versus plain whole disk encryption. ;-) Is the use case you're worried about the plausible deniability requirement? Apart from that, do you see a use case that makes it preferable to go this route and install a VM instead of just using whole disk encryption?

On the plausible deniability front however, your suggestion seems pretty interesting; definitely sounds simpler to use an encrypted container with a hidden volume than an encrypted system with a hidden OS.

Re: Securing your laptop? Only one way... VeraCryp

[pnutjam]

Well, the problem with just a hidden container, is that you often don't realize where things are being written by programs you use. It's easy to end up with something in an insecure location, or sitting in you hibernation or suspend file.
With the whole OS encapsulated, you can more easily contain it. You can also have it use a vpn or tor network, so the main pc can't listen to it's traffic.
The only big problem in this situation, would be keyloggers, or some sort of malware that is taking screen shots periodically. You can guard against key loggers by using an onscreen keyboard, but the other is something you will have to avoid with opsec.

Re: Securing your laptop? Only one way... VeraCryp

[pnutjam]

In regards to whole disk encryption, I think that is great also. However, it's still difficult for your average user. I think it's more common and less of a red flag now.
My problem with whole disk encryption is that it's usually integrated into the logon. You just need to leave your pc running, and it's defeated.
I think the separate vm provides a sort of reminder and encourages you to be more conscious of operational security, which is where most people screw up.
I also like the portability.