Ask Slashdot: Securing a Journalist's Laptop Against a Police Search?

Bruce66423 writes: In the light of the British police's seizure of a BBC laptop what is the right configuration and practices to ensure that such a seizure provides zero information to the cops? This post from Thursday might be a good place for some ideas, but that one's expressly about securing a Chromebook; what would you advise for securing a more conventional laptop? (Or desktop, for that matter.)

Securing your laptop? Only one way

[fustakrakich]

Shred it...

Re:Securing your laptop? Only one way

[Z00L00K]

Seems to be overkill.

It's probably better to have only sensitive stuff encrypted and hidden, that way it will be harder to determine if it contains interesting stuff. You may feed cops with some information, but only information that they essentially can figure out anyway.

Re:Securing your laptop? Only one way

[davester666]

Remember, this WON'T be "cops", ie, some drone poking around seeing what they can find. If it's at all interesting [as in, you are a journalist that is doing something that the government is interested in], your computer HD will be cloned and sent off to the NSA to be decrypted.

You better have it encrypted using a very high-quality algorithm, with a very good password that they cannot confiscate from you [like on a usb stick or keyfob].

Re:Securing your laptop? Only one way

[ArmoredDragon]

I personally use Windows EFS on my entire c:\user\myname folder, and that whole folder is backed up to a zero knowledge storage provider. I do this for my desktop and laptop.

Unless you save documents outside of that folder (which by default, 99% of all applications store it somewhere in that folder) then it's not likely to be retrievable.

AFAIK, Windows EFS uses AES-256 as a block cipher, with RSA-2048 or ECC-256 for key escrow (you can do up to RSA-16,384, or ECC-512.) AFAIK not even the NSA is able to crack either of those. The weakest link would be your password, with shorter passwords being easy to break (complexity, i.e. mix of case, special characters, numbers, isn't anywhere near as important as length) so use one that's 15 characters or longer.

Re:Securing your laptop? Only one way

[rtb61]

In management of secure information it is more appropriate to take a manageable series of secure step to ensure security of some of your data not necessarily all of you data and to try to prevent the to mixing.

So logically it makes sense to dual boot your device. A more active dual boot, so the normal boot is from built in storage with only as much security that you could be bothered with and the other boot is from portable media, preferably something very compact and secure, an encrypted memory card.

This creates good security habits. You only have the memory card accessible when you are going to use it, you are creating a separate secure digital environment even secure from bad programs on your fixed storage you a creating security conscious habits. The memory card itself super easy to hide away and secure from hidden built in enclosures in other devices to something as simple as a small adhesive bandage and if you need to lose it in a hurry it is really easy to do. You would also most definitely boot to Linux and not to Windows or Apple or Android, a known safe and secure Linux Distribution with only the applications you need and nothing more. A conscious act to enter secure mode and a concious act to leave secure mode and do other stuff.

So securing the data now becomes how not to lose the memory card and how to back it up it case you lose your primary secure media.

Re:Securing your laptop? Only one way

[BlueStrat]

The only reliable way to protect your data from government thugs is to change the government such that there are no government thugs wanting your data.

Anything else is a band-aid and temporary at best.

Strat.

Re:Securing your laptop? Only one way

[clovis]

The only reliable way to protect your data from government thugs is to change the government such that there are no government thugs wanting your data.

Anything else is a band-aid and temporary at best.

Strat.

That is the final step in the process.
Step one is getting people to realize there's a problem.
And that's why journalists need to have their information protected, and that's why the goons want to get their hands on it.

Re:Securing your laptop? Only one way

[arth1]

Seems to be overkill.

Not really. Would you really take back a computer that the government hackers have had in their possession and then decrypt the data on it?

Re:Securing your laptop? Only one way

[arth1]

That is the final step in the process.

I can think of a few steps that are even more final than that...

I'm not elucidating, due to the fifth amendment to the constitution.

Re:Securing your laptop? Only one way

Lol!

AFAIK not even the NSA is able to crack either of those

They don't need to, they'll just log into Microsoft and get your key.

Closed-source encryption can never be trusted.

Re:Securing your laptop? Only one way

[Skewray]

I also put the laptop in an evidence bag. If the bag has been opened, I can toss the laptop.

Re:Securing your laptop? Only one way

[Antique+Geekmeister]

> The only reliable way to protect your data from government thugs is to change the government such that there are no government thugs wanting your data.

Since all governments will want, and are likely to insist upon, access at will to private documents, I wouldn't expect this plan to work. The Russians tried replacing a horrible monarchy with "the people's government" and wound up with Lenin and Stalin and abuses the equivalent of anything the czars committed.

Re:Securing your laptop? Only one way

[AHuxley]

Yes the different types of software that a nation can use/buy/create will just look for any signs of encryption. Names or terms in OS logs, times, formatting attempts.
Detection of hidden "random like" data structures or past use of an application is not hard to uncover.

Re:Securing your laptop? Only one way

[Z00L00K]

Well - I can always install games on it and give it away to some kids.

If NSA installed spyware on it then they will be busy with that for a while.

Re:Securing your laptop? Only one way

[AK+Marc]

Buy a laptop with an SD card slot. Put all files other than OS and some games on the SD card. Hide the SD card inside your luggage handle when passing through security. Or FedEx it to your destination. Encrypt if excessively paranoid. The stock SD card slot won't generate excessive interest, they won't even know to look for or expect it. If you are overly concerned, use a micro-SD card in an adapter, leave the adapter in your slot, but hide the micro card anywhere, slipped behind the tag in your underwear would survive a strip search.

If you don't have an SD card slot, take two mirrored HDs outbound, and send the used one back while installing the "spare" for the return trip.

Hiding the data is better than encryption. Encryption is easy to break if you have the person with the key in a locked room and a $5 wrench (well, 5 quid spanner, for the UK).0

Re:Securing your laptop? Only one way

[ArmoredDragon]

Neither can any encryption tool that you haven't personally audited line by line.

Re:Securing your laptop? Only one way

[BlueStrat]

The only reliable way to protect your data from government thugs is to change the government such that there are no government thugs wanting your data.

Since all governments will want, and are likely to insist upon, access at will to private documents, I wouldn't expect this plan to work. The Russians tried replacing a horrible monarchy with "the people's government" and wound up with Lenin and Stalin and abuses the equivalent of anything the czars committed.

That's actually a key concept and also a key reason for keeping government as decentralized and local as possible. The more concentrated & centralized government power is, the quicker it falls to corruption and outright despotism and tyranny.

That was also one of the reasons the US Constitution was written so as to allow the central government only a few limited powers and keep as much of the governing affecting individuals as local and accountable as possible.

Sadly, the US has over the last ~100 years, moved away from decentralized and accountable governance to become a top-down, centralized-power, crony-capitalist fascist surveillance-state oligarchy.

Strat

Re:Securing your laptop? Only one way

[AutodidactLabrat]

May I remind you that the anti-progressives of the Bush admin built the entirety of the TSA and that the NSA is an EISENHOWER monster?
Hmm?
That 100% of the civilian intelligence business was created not to protect from foreign spies, but from American pot smokers?
Is your grasp of history so blank that you ignore those truths?
Remember, America was a totolitarian state from the time J.Edgar built his dossier on every potential lawmaker in the pipeline!

Re:Securing your laptop? Only one way

[AutodidactLabrat]

How are "many local governments" less dictatorial than one accountable to all citizens?
I remind you of the reality of America, instead of your myths
America was "the greatest generation" when 72% of workers were unionized
America was greatest when UNEARNED income was taxed at 91% with exceptions for socially approved uses such as charity and long term investing
America was greatest when Corporations had no legal voice in electing or UNelecting anyone
America was greatest when Corporate giveaways were uniform, nationwide, thus restraining whipsaw tactics
America can be greatest again, but only by making the Corporation an ARM of the small citizens, with the professional,interlocking directors of boards of Corporations banned.

Re:Securing your laptop? Only one way

[chihowa]

The weakest link is the part where you upload all of your data to a "zero knowledge" storage provider. "Zero knowledge" just means, "I promise not to look at your data (yet)."

Re:Securing your laptop? Only one way

[BlueStrat]

How are "many local governments" less dictatorial than one accountable to all citizens?

Because the individuals in that government are your friends & neighbors and as such are much more accountable than some bureaucrat 2,000 miles away. If the laws, rules, and regulations where you're at are unsuitable, you can choose to move somewhere where they are a better fit.

Alternately, you can also choose to change the local laws, rules, and regulations where you're at and have a far better chance at changing a local government than a behemoth centralized bureaucracy 2,000 miles away.

I remind you of the reality of America, instead of your myths

For which you only provide your own myths and opinions as evidence.

The US has been on a steady and increasingly-rapid decline since Progressive policies and programs have increasingly been enacted and promulgated. The correlation between the instituting of Progressive policies and programs and the decline of the US tracks together closely. Take a look at Detroit as a shining example of what 40+ years of Progressive policies and programs can accomplish.

Strat

Re:Securing your laptop? Only one way

[tehcyder]

Encryption is easy to break if you have the person with the key in a locked room and a $5 wrench (well, 5 quid spanner, for the UK).0

In the UK, if you don't give them the encryption key you can go to jail for up to two years. No spanners needed.

Re:Securing your laptop? Only one way

[houghi]

We have that information. Nobody cares.

And most of the information is not handed over or even handled by journalists.

Probably you are thinking about freedom of the press. That means that the press is free from intrusion. For me freedom goes both ways. A free press is not only one that is not influenced directly. It is also one that does not influence directly. So they should not be paying political parties 5nor their sister companies) or they should be taken away all the rights that come with freedom of the press.

So, no the reason is not to control the media. That is done on a much higher level. It is about some frustrated mall cop who finaly got a real uniform and is pissed off because he was not alled to have sex with his wife.

The public knows. They are aware. They are not interested. Persons are smart. People are stupid.

Re:Securing your laptop? Only one way

[strikethree]

I personally use Windows EFS on my entire c:\user\myname folder, and that whole folder is backed up to a zero knowledge storage provider.

Yowsa. You trust Microsoft not to have a backdoor into the encryption scheme that they provided to you? Go ahead and tell me I am wearing a tin foil hat... Recent events have proven even creepier than the distrust that I am showing here.

(CAPTCHA is outwit, lol)

Re:Securing your laptop? Only one way

[AutodidactLabrat]

Simply FALSE.
Remember, it is those "friends and neighbors" who ban any religious practice on public land EXCEPT Christianity
Those same "Friends and neighbors" refused for 120 years to prosecute even ONE Klan Night Rider
Remember the State Troopers barring black young men and women from College?
Sure you do
The "Friends and neighbors" are simply more easily controlled by the wealthiest and most rabid
No, you are simply wrong.
Then again, all of Libertarianism is simply wrong.

Laptop

[fyngyrz]

Don't store your information on the laptop in the first place. Just use it as an editing and remote-access tool over a secure connection or to a USB stick you don't expose to search procedures.

That's about the best you can do, short of memorizing everything.

Encrypt the laptop, and you could lose it. Just let them search it top to bottom, then when they're done and you're wherever you're going, wipe the hard drive, reinstall your OS, and carry on.

It's really not a great idea to carry information you need to be secure around with you.

Re:Laptop

[Applehu+Akbar]

Does anyone make a little ruggedized case for an SD card that you can swallow?

Re: Laptop

[GrantRobertson]

This!

I'm not saying this is the way to go for all needs. Personally, I hate to use web apps for everything. But, for complete security when crossing borders, your info should just stay home.

Re:Laptop

[allo]

Why? Break it in two parts and its very expensive to restore data. Drop it into the toilet and flush. Nobody will find it.

Re:Laptop

[peragrin]

Why swallow? Micro SD is small enough to hide in your shoe. Rip the inner sole slightly and carve out a tiny slot. The police might check your shoes quickly but they won't look close. The metal will block scanners.

Re:Laptop

Why swallow? .

That's what she said.

Re:Laptop

[BitterOak]

Why swallow? Micro SD is small enough to hide in your shoe. Rip the inner sole slightly and carve out a tiny slot. The police might check your shoes quickly but they won't look close. The metal will block scanners.

Even at airports, you're required to take off your shoes and have them X-rayed. I'm sure a targeted search by police would be at least as thorough.

Re: Laptop

[gweihir]

And once they suspect that, they will just x-ray you, like they do for drugs. And then wait until it comes out and maybe slap a few extra charges on you.

Re:Laptop

[w3woody]

You could use one of these...

Re:Laptop

[peragrin]

Most shoes and sneakers have a strip metal along the sole for rigidity. Take an old pair apart sometime. I always seem to break the inner soles of my footwear. That is how I know.

Unless they see something obvious you can hide a microsd card there without an issue. I have yet to see a police officer do more than a quick visual inspection tion/ X-ray of shoes.

Re:Laptop

[Z00L00K]

Better to have a specially designed clothing or coat buttons to store the microSD in.

Re:Laptop

wipe the hard drive, reinstall your OS, and carry on

No. If an investigator has attached anything to the laptop or taken it where you can't see it, the laptop is no longer trustworthy. Wiping the hard drive is not enough! Laptops have multiple firmwares in flash memory. There is code which runs before the operating system and code which runs side by side with the operating system in system management mode or even on separate processors. Detecting manipulations is very difficult, and certainly impossible for a layman. Leaking typed passphrases is almost trivial once you have firmware access.

A better choice of computer is a low cost computer with as little firmware as possible. A Raspberry Pi or some other computer with no onboard storage is a good choice. With a Raspberry Pi 2, a micro SD card is all that needs to be kept secret (and you can encrypt the data on it). In case of a search where the computer, keyboard, mouse or display are taken out of your sight, you can buy new ones cheaply and just keep using the same micro SD card.

Re:Laptop

[fyngyrz]

No. It isn't. If you get caught intentionally trying to smuggle, it'll go poorly for you. Just don't carry it in the first place. There's no actual need to, so why do it?

Re:Laptop

[Jane+Q.+Public]

Micro SD AND Truecrypt.

Re:Laptop

[NotQuiteReal]

Well now that we know about the hollow coins, there will just be a "leave a pound, take a pound" exchange set up as you go thru security.

Re:Laptop

[JustAnotherOldGuy]

This is actually the solution. Learn some mnemonic techniques.

Some people use a passphrase form a commonly accessible book (i.e. the bible, War and Peace, Aesop's Fables, To Kill a Mockingbird, etc). Just find a section you want and use the next 5 or ten words without spaces as the passphrase.

You don't even have to memorize it because this stuff is easy to locate online. Search to find the verse or section you want, locate the string of words, and there you go.

Re:Laptop

Seriously, how many of you are giving bad advice on purpose. Search online to find the section that contains your passphrase? Why don't you mail the passphrase to the NSA so they can remind you in case you forget it? Five to ten consecutive words from a classic book without spaces between them? Do you have any idea how small that keyspace is? You probably do, don't you.

Re:Laptop

[SwashbucklingCowboy]

"Just use it as an editing and remote-access tool over a secure connection or to a USB stick you don't expose to search procedures."

Forget the "secure" connection. There's a much larger attack surface there for people to exploit.

Re:Laptop

[Zero__Kelvin]

"Five to ten consecutive words from a classic book without spaces between them? Do you have any idea how small that keyspace is? "

You clearly don't.(It is exceedingly large in fact)

Re:Laptop

[ahodgson]

I doubt there's a law against carrying a low-value SD card in your shoe.

Re: Laptop

When you are detained, the toilets go into a special holding tank that is screened. Usually this is because of people trying to ditch drugs, not data.

Re:Laptop

[AbRASiON]

"Encrypt the laptop, and you could lose it."

Sorry but I suspect encrypted or not, it's extremely unlikely it wouldn't be taken anyhow. That's just how this stuff is. With a very very long process in getting it back to boot.

Re:Laptop

[arth1]

I have a couple of micro-SD cards hidden inside a USB thumbdrive. There's plenty of space for them, and an X-ray scan will just show layers of small chips, just like what's already in a USB thumbdrive.
I seriously doubt that anyone would think to look there for extra data storage. Well, until I posted this, that is...

Other possible places include inside the key caps on full size keyboards, inside RJ-45 and HDMI sockets, in the clamp of metal watchbands (with a wad of fluff on top to hide it from casual inspection), the sheet battery or docking station connectors of laptops, or inside a personal vibrator (the yuck factor will be too high for it to likely be disassembled).

Re:Laptop

Absolutely this. If the data isn't there to seize, then they can't seize it. SSH to another box (or a proxy) and then X/RDP to a machine that has your stuff. Even if your laptop gets confiscated/stolen/broken you don't lose the data, and they can't retrieve anything from it unless you give them the path to get in. You don't smuggle cards or drives of stuff that can be decrypted with enough time and energy.

When Mitnick was on the run for all those years, that was exactly the method he used. The only thing that screwed him at the end was he went to servers unencrypted, so he was vulnerable to a MITM at the end. Tunneling everything over SSH or a VPN with replay detection/protection would protect you for the most part.

Re:Laptop

[TechyImmigrant]

I doubt there's a law against carrying a low-value SD card in your shoe.

In many countries, including the one I left, there are laws making it illegal to withhold the contents and keys when they find it.

Re:Laptop

[TechyImmigrant]

With a very very long process in getting it back to boot.

After the government has installed whatever bugs or keyloggers they want? No thanks, it's not worth the effort at that point. Use cheap laptops, encrypt them and accept the fact that if one of them is ever seized, you're never going to use it again or likely even get it back.

The thing I don't get is why everyone assumes that every government is out to get the data on their laptop.

I deal with crypto and governments and I travel a lot. I've never been asked to reveal the contents of my laptop or usb sticks. An Israeli once asked me to show it booted, so he had some reason to believe it wasn't a bomb.

If you carry stuff around in your laptop that would compromise you in some way, by all means protect that information but I don't believe all the people posting the paranoia rants really do.

Re: Laptop

[AK+Marc]

Micro SD, hidden inside the hollow luggage handle. Or, the thought I had was that you could slip in behind your underwear tag. They'd have to x-ray you, and all of your clothes while you were naked to find it. If you have more details on the search procedure and know that won't make it through, a band-aid with the SD card under it would make it past, so long as they don't take it off and x-ray it separately. But if they are going to that level, you'd only make it past if you slipped it into someone else's luggage. Make friends with the person next to you. Slip your SD into their carry-on, and meet them after for a drink, or give them a free ride, as you have your car parked at the airport, and they were planning on a $100 cab ride to their destination. Then ask them if they found your card in their luggage, it must have fallen in when you were playing with it on the plane.

Or post it separately.

If they start x-raying everyone for internal concealments, I'll be eating safely coated lead balls so they waste time waiting for me to poop lead balls. After all, who knows what could be inside.

Re:Laptop

[AK+Marc]

There's a chance they'll x-rays shoes. What they won't do is x-ray all your clothes if they strip search you. So slip it behind the tag of your underwear. I pick that over the shirt because people are less likely to spend a long time staring at your underwear.

You could even slip one inside a band-aid (between the adhesive back and the sterile pad), which wouldn't get a lot of scrutiny, at most, pulled off to take a quick glance under. Or sewn inside your luggage or something in your luggage. Meybe hidden in plain sight, inside the camera in your luggage.

Re: Laptop

[neurosine]

I was going to make this same suggestion.

Re:Laptop

[nospam007]

"The thing I don't get is why everyone assumes that every government is out to get the data on their laptop.
I deal with crypto and governments and I travel a lot. I've never been asked to reveal the contents of my laptop or usb sticks."

Give us your real name and we'll change that.

"An Israeli once asked me to show it booted, so he had some reason to believe it wasn't a bomb"

That's why you should always put your bombs in the second harddisk bay, that way you can boot it on demand.

Re:Laptop

[fyngyrz]

I absolutely guarantee you, if they ask you if you're carrying something, you say you aren't, and they find out you are, you are going to have your plans severely disrupted. Unless "detention" is your idea of a proper result of crossing a national border.

Re:Laptop

[fyngyrz]

That's not really the issue for a border crossing. You're not exposing that attack surface at the border. There is no attack surface at the border, because there is no data being manipulated.

In the general case, don't write it down and don't store on a computer, and don't tell anyone anything about it.

Then you have some security. Until they start smashing your toes with a hammer, of course.

Re:Laptop

[monkeyzoo]

You mean VeraCrypt. The TrueCrypt driver now has known critical vulnerabilties.

Re:Laptop

[monkeyzoo]

The OP is asking about journalists. So, your advice amounts to don't be a journalist. Not very helpful.

Re:Laptop

[monkeyzoo]

Not a secure idea...
https://theintercept.com/2015/...

Your secret password trick probably isn’t very clever

People often pick some phrase from pop culture — favorite lyrics from a song or a favorite line from a movie or book — and slightly mangle it by changing some capitalization or adding some punctuation, or use the first letter of each word from this phrase. Some of these passphrases might seem good and entirely unguessable, but it’s easy to underestimate the capabilities of those invested in guessing passphrases.

Imagine your adversary has taken the lyrics from every song ever written, taken the scripts from every movie and TV show, taken the text from every book ever digitized and every page on Wikipedia, in every language, and used that as a basis for their guess list. Will your passphrase still survive?

If you created your passphrase by just trying to think of a good one, there’s a pretty high chance that it’s not good enough to stand up against the might of a spy agency. For example, you might come up with “To be or not to be/ THAT is the Question?” If so, I can guarantee that you are not the first person to use this slightly-mangled classic Shakespeare quote as your passphrase, and attackers know this.

The reason the Shakespeare quote sucks as a passphrase is that it lacks something called entropy. You can think of entropy as randomness, and it’s one of the most important concepts in cryptography. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion.

Even if you don’t use a quote, but instead make up a phrase off the top of your head, your phrase will still be far from random because language is predictable. As one research paper on the topic states, “users aren’t able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language,” meaning that user-chosen passphrases don’t contain as much entropy as you think they might. Your brain tends to continue using common idioms and rules of grammar that reduce randomness. For example, it disproportionately decides to follow an adverb with a verb and vice versa, or, to cite one actual case from the aforementioned research paper, to put the word “fest” after the word “sausage.”

Passphrases that come from pop culture, facts about your life, or anything that comes directly from your mind are much weaker than passphrases that are imbued with actual entropy, collected from nature.

Re: Laptop

[Mal-2]

Wait, isn't there a movie about this already?

Re:Laptop

[KGIII]

I once got arrested for drinking in public (case dismissed, they just wanted me to stop being an idiot) and I made it through a strip search and the mandatory shower while wearing a Fentanyl patch on my arm. I was getting out in a little while, bailing out, so I gave it to another inmate. Fentanyl is a very strong opiate and the patches are akin to the nicotine patches - transdermal. The funny thing is, they thought I had drugs on me so I was searched by three officers at once. They were too busy messing with my shoes and clothing, so they never noticed the patch.

My point is, not all searches are equal. 'Snot much of a point, I guess, but there's a chance of making it through so long as you don't bring attention to it, act exceptionally nervous, or give them cause to be more complete.

Re:Laptop

[KGIII]

I think you just met someone who still has "faith in the system." They're a rare breed around these parts. I think we may need to start putting a few out on the range for preservation sake. That or a zoo...

Re:Laptop

[KGIII]

I am on the road, sort of, and I certainly don't even have any data worth stealing. Yet, at home, I have a box running Lubuntu and running a VNC server with secure connections enforced and only allowing access for a specific IP address (my VPN). I use any old laptop that I have with me, often just for a Live USB, and connect to my VPN, then my home server, and then access the web. I even do this for typing this post.

I don't even have an email client configured on this particular computer - that's accessed by connecting to the remote machine. There's ample power at home and a UPS, a real one and not some pseudo thing from APC, so I've not had a problem. If worse comes to worse there's a failover system and, absolute worst, I have a laptop that's set to resume when power returns should that happen - that's my tertiary backup.

ll were properly configured and tested prior to leaving. The house has a security alarm and cameras so I *might* know if there's a physical intrusion. This isn't even 'special' data, not by any means, it's just that I'd prefer to be moderately secure. Hmm... How has it been of benefit?

I was still on the road when the Ubuntu family of 15.10 dropped so I used the remote machine to grab all of the 64 bit versions and set them to share as torrents. I don't have to worry about the hotel's wireless being snooped on as my data is encrypted. I get to access my NAS from remote. If someone steals my laptop then I'm good to go in an hour or less. When I go to Canada or come back, there's nothing for them.

I also encrypt and upload a few things. I'll put some in various different services and some on my own server. Sure, I never know where what is but I know where it all is and can find it. That way I can still use eTrade when I'm bored. I have shared service through my credit union so I don't need to do any online banking and I never do.

I'm sure it's not 100% secure, nothing is. It's secure enough for my needs and has an acceptable risk profile. I used to carry around quite a bit of proprietary code and other data. Keeping things encrypted and choosing the least risky method is kind of a habit. I know that nothing is secure, it never will be, but if one wants complete security they'll never get anything done.

Re: Laptop

[allo]

And then? They need to know what they are searching for.

The card is broken, so you cannot recover it. The card is down the drain, so they do not know it was there, when they are interrogating you. When they find it afterwards ... no problem, you do not know about it.

Re:Laptop

[TechyImmigrant]

Well I don't put bombs in things. It's not the kind of thing I do. I'd prefer the additional disk space.

Re:Laptop

[TechyImmigrant]

They can charge you with withholding the key. In the UK, your attempts at evasion would land you in jail.

Do we have to go through this again?

https://xkcd.com/538/

Re:Do we have to go through this again?

[AmiMoJo]

The key is to have no way to decrypt the laptop, then they can't force you to. Make sure someone else has the key, preferably in another jurisdiction (i.e. country).

Re:Do we have to go through this again?

[BitterOak]

The key is to have no way to decrypt the laptop, then they can't force you to. Make sure someone else has the key, preferably in another jurisdiction (i.e. country).

That could land you in prison in the U.K. Legislation in that country required you to decrypt data for authorities on demand. Losing or destroying the keys is no excuse.

Re:Do we have to go through this again?

[gweihir]

Indeed. That British law is not about right or wrong, it is about enabling them to do it to you for daring to encrypt things they want.

Re:Do we have to go through this again?

[BitterOak]

The police have to show that you have the key for there to be a prosecution. Otherwise they could just lock anyone up by demanding that they decrypt /dev/random. For safety you have should make sure you can prove that you don't have the key.

First of all, there's never any way you can prove you don't have a key. Period.

Secondly, I don't think you're correct about the law. I think the law requires you to be able to decrypt any encrypted data you have (/dev/random is not a file; it's a device), or any encrypted communications you have engaged in. My understanding is that it is effectively illegal in the U.K. to use communications protocols which employ perfect forward secrecy for that reason. (There are exceptions for some SSL web traffic, I think, but I could be wrong.) I'm not a lawyer though, so I could be wrong about my second point.

Re:Do we have to go through this again?

[JustAnotherOldGuy]

The police have to show that you have the key for there to be a prosecution.

Unfortunately, these days they can just insist that you know the key, or claim that they know you know the key, and you'll probably sit in jail for quite some time before they let you out (if ever).

It's hard to prove you don't know something, especially if you've encrypted data that they want. Their reasoning (to the judge) will be, "Who would encrypt data without a way to decrypt it, your Honor?" and most judges will go "That makes sense."

And frankly, it does make sense. Why would someone encrypt their data if they didn't have a way to decrypt it?

Re:Do we have to go through this again?

[AmiMoJo]

The onus is on them to prove you know it. So far the only times this has happened is when the person was accessing the data recently and they had proof, e.g. log files showing a recent mounting of the drive. If you can demonstrate that you set up a system where you made sure you didn't know the key, you should be okay.

You have to be careful to create evidence though, because e.g. just securely deleting the data by overwriting with random bytes could screw you. You can't unlock it, and you don't have proof it isn't encrypted data, and they have some evidence that you used the machine recently...

It's still a risk even if you do it right of course, because they could decide to ignore the law as they sometimes do, but that's a risk no matter what you do. If they are willing to ignore the law then it doesn't really matter what you do, does it? Your fully wiped laptop will mysteriously acquire some child porn, your empty pocket will produce a flash drive full of classified documents etc.

Re:Do we have to go through this again?

[Kjella]

First of all, there's never any way you can prove you don't have a key. Period.

Nobody's proven that the Star Trek teleporter is impossible either, but if you were in New York and is charged with killing a man in San Francisco five minutes later you have a very strong alibi. Documented procedures that show you wouldn't be given the key and testimony saying the procedures were followed is as good as evidence gets in a court room. History can't be turned into a reproducible experiment, you only have the information that's been observed, recorded or might be gleamed from the leftovers. It's not the same standard of "proven" as science since history is obviously not reproducible, it happened once and all you have is evidence and testimony about it. Whatever information was lost, is forever lost and you can't get it back.

Re:Do we have to go through this again?

[arth1]

And frankly, it does make sense. Why would someone encrypt their data if they didn't have a way to decrypt it?

Who's to say it is encrypted data? I tend to do this to SSDs first thing I get them:
dd if=/dev/urandom of=/dev/XXX
The reason is partially to thwart compression schemes and make sure that the drive really can handle being full of uncompressible data, and partially to enter "worst case" write amplification as early as possible, so I know what the real worst-case speed of the drive is, and not get nasty surprises later
Of course, after that, any unpartitioned space on the drive will be indistinguishable from, say, a truecrypt unpartition. But I sure can't decrypt it, because it doesn't have encrypted data on it. Probably.

Re:Do we have to go through this again?

[Antique+Geekmeister]

> First of all, there's never any way you can prove you don't have a key. Period.

I agree with your reasoning. This is what steganography is for. One secure key can be used for secure data, the other for much less critical, "personal" data of much larger volume, such as personal correspondence and shopping lists.

Re:Do we have to go through this again?

[cas2000]

It's entirely normal to send encrypted mail that is encrypted so that only the recipient key(s) can decrypt it and not the sender key.

In fact, with PGP and gnupg you have to go out of your way (i.e. use a special config option or command-line option) to encrypt a file so that the key used to encrypt the file or message can also decrypt it.

With gnupg, that's the encrypt_to option.

Re:Do we have to go through this again?

[KGIII]

Not really directed at you but more an addition to your post...

What I find disturbing is this talk about proving one's innocence. That's not how the justice system works, or should work. The burden of proof is on the State to prove that you either, more likely than not, committed the offense or that a reasonable person would conclude, beyond reasonable doubt, that you committed the offense. The former is for civil offenses and the latter for criminal offenses.

You should never, ever, have to prove your lack of guilt.

One other thing, the Western courts do not typically find people innocent. They find them 'not guilty.' For who among us is innocent, after all? (Some weasel words included because defining "Western" may be difficult and I am not aware of specific operations for each and every court.)

Easy

Easy: Store nothing sensitive anywhere on the laptop. Make sure all browsing history/data is wiped before the laptop is every put to sleep/hibernate.

Complete Deniability that data exists

[gurps_npc]

Whatever kind of encryption you use should have the ability to use alternative passwords - an unlimited number of them. So enter password (A) reveals your tax records, password (B) gets pictures of naked 30 year old men. But enter password (C) and you get clear pictures of Mr. Cameron violating a dead pig. When they demand your password, give them password A. If they get all torture-ish you give them password B.

Re:Complete Deniability that data exists

[gurps_npc]

Truecrypt did something similar using what they called a hidden container system. But Truecrypt is no longer secure.

Re:Complete Deniability that data exists

[grub]

But Truecrypt is no longer secure.

Are you sure? Last I read was they shut down the project with a vague statement like that but nothing to back it up. The recent audits showed it was still a good product from what I remember.

Re:Complete Deniability that data exists

[kbonin]

TrueCrypt probably triggered their warrant canary and the dev team decided to call it quits, since NSLs are so much fun to fight for people living in the formerly free country known as the US. In the mean time, code forked and picked up here: https://veracrypt.codeplex.com...

Re:Complete Deniability that data exists

[grub]

I use VeraCrypt. Was wondering about the claim of TrueCrypt being insecure.

Re:Complete Deniability that data exists

[RDW]

Some flaws the audits missed were discovered a month ago, at least on Windows:

http://www.zdnet.com/article/t...

Re:Complete Deniability that data exists

[kbonin]

Nobody has found any real crypto weaknesses in TrueCrypt to date, in public or in any of the private crypto groups I know of. This article claims that two TrueCrypt driver bugs expose systems to a privilege escalation attack, and these have been fixed in VeraCrypt: http://www.itworld.com/article...

Re:Complete Deniability that data exists

[monkeyzoo]

All correct. But TrueCrypt's hash security is a,lso aging and rapidly approaching (if not already at) the marginal level. VeraCrypt has also fixed this.

Re:How about this...

Unlike common criminals, try cooperating with the police. You'll be better off in the end for it generally.

What if the police have become criminals themselves?

Don't have anything for them to find

[Todd+Knarr]

Best bet is simply not to have anything for them to find. Store your data on a thumb drive (that you'll carry or ship separately) or upload it to your own server or a service like Google Drive or Dropbox, encrypting it or not first, all depending on how sensitive the information is. Delete it or secure-wipe it or wipe the whole drive and do a complete factory restore on your laptop depending on how invasive you think the search might be. Then let the cops search all they want, they won't find what isn't there.

NB: Linux makes a better platform for this than Windows. On Windows bits of your files can end up in the oddest places to be found during a scan of the drive. On Linux it's easy to set up a separate partition where all your data will go and be certain it didn't leave traces anywhere else, and that partition can be secure-wiped and reformatted without messing up the OS installation in the process. Plus the cops are less likely to be familiar with Linux, and you can play the dumb-non-techie card of "I dunno, it's whatever the guys in IT put on it. I just follow the instructions to run my programs and everything works.".

Re:Don't have anything for them to find

[LVSlushdat]

Tell me my tinfoil hat is on too tight if you want, but I *strongly* suspect its NOT going to be *too* far in the future when those of us who refuse to use Windows and use Linux instead will be charged with violation of a yet-to-be-passed law, but one that is almost surely to be passed by the authoritarian thugs that currently infest most governments. For all we know, this sneaky Transpacific Partnership abortion thats making its way thru the halls of congress may have the beginnings of such in it, and since we, the unwashed plebes, are not privy to its contents, heaven only knows what is in it. Both the US and UK are diving at a faster and faster rate down towards blatant totalitarianism.. When you look at the many traffic analylsises that have been on Microsoft's latest offering, you start to wonder if they've not gone into partnership with the NSA to fill up that giant datacenter in Utah with everything you do on your Windows machine. This being the main reason I suspect it won't be too long before those of us who don't suck at the MS tit, will be persecuted for using an OS that doesn't feed the MS/NSA behemoth... Before you accuse me of being paranoid, stop and think about what I said.... Glad I'm 65 and not a youngster growing up in this ever-increasing totalitarian world...

Re:Don't have anything for them to find

[Todd+Knarr]

Yes, but if you're dealing with a situation where they'll hold and interrogate you for an extended period even if they find absolutely no evidence at all then you have bigger problems than how to keep them from finding anything. In that situation the only way to avoid this is to not go there in the first place and if you have to go there the question's more along the lines of how do you get in and out without them finding out you're you along the way. And that frankly is seriously out-of-scope for this kind of forum.

Re:Don't have anything for them to find

[maugle]

I doubt Linux would be banned entirely (it's in use by too many big businesses), but I could see only certain "approved" distros being allowed. I'm sure Red Hat would jump at the chance to be the sole government-approved official Linux provider, and I doubt they'd even think twice about including a few "special" government-provided packages in their base installation.

...assuming they don't do that already.

Re:Don't have anything for them to find

[JustAnotherOldGuy]

Best bet is simply not to have anything for them to find. Store your data on a thumb drive (that you'll carry or ship separately) or upload it to your own server or a service like Google Drive or Dropbox, encrypting it or not first, all depending on how sensitive the information is.

Bingo. This is the only way to avoid the whole mess of having data for them to become suspicious of in the first place. Don't have anything for them to find or become suspicious of.

Once they find encrypted data most law enforcement authorities will automatically assume something nefarious, and even if they don't, they'll still want to see what it is.

And they'll use the old "We think it might be child porn" as an excuse to hold you for as long as they can get away with (and these days that may be forever).

Re:Don't have anything for them to find

I doubt Linux would be banned entirely (it's in use by too many big businesses), but I could see only certain "approved" distros being allowed. I'm sure Red Hat would jump at the chance to be the sole government-approved official Linux provider, and I doubt they'd even think twice about including a few "special" government-provided packages in their base installation. ...assuming they don't do that already.

They could roll it right into systemd!

Re:Don't have anything for them to find

[AHuxley]

The OS created log files could be a hint to other networked data or a device in use in the control of the user. The next request would be the password to your backup cloud please or to show the device.

Re:Don't have anything for them to find

[101percent]

Most people involved--such as Edward Snowden & William Binney--do not want "law enforcement neutered." Some of the things the feds are doing is completely outside of law with no public scrutiny and narrow compartmentalized oversight. Even the more radical folks like Jacob Appelbaum are proposing very basic things that can be done to make the internet safer for all of us.

Re:Don't have anything for them to find

[Lennie]

Wouldn't be surprised if Microsoft caved. The architecture of Skype changed when Microsoft bought the company, it's no longer p2p. They are really helpful with providing access to data of former Hotmail.

But a much bigger problem is the rules in the US (at least for us foreigners, I'm in Europe, they'll probably get the data of the people in the US too):
https://media.ccc.de/v/31c3_-_...

The rules talks about remote compute, so my guess is it applies to: VPS, 'Cloud computing'/IaaS, PaaS, SaaS and all those kinds of services.

My problem is not with my data, I know where my data is and if it's encrypted. I put it there.
The problem is with companies that have data about me: insurance companies, banks, telecom providers and the 3rd parties they deal with. I do not directly control where they keep my data.

Re:Don't have anything for them to find

[houghi]

You are aware that they do not care if the data is on the HD of your device? They want to access the data or use it to incriminate you. If they are at that stage, they already know you have it somewhere.

Depending on the country you are in, they can make your life a living hell if you don't hand it over.

What is discussed here are technical solutions to social problems. They do not work. They never work.

Re:How about this...

[wickedsteve]

https://www.youtube.com/watch?... http://www.kirkpiccione.com/10...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How about this...

> Unlike common criminals, try cooperating with the police. You'll be better off in the end for it generally.

Sigh... Dont Talk to Police

Not possible

[gweihir]

In the British Police-State, that is not possible, unless the journalist is willing to go to prison for failing to disclose an encryption password. Forget about "plausible deniability", that is for kids and morons. It does not work in practice.

The time to protect essential freedoms in Britain is past, and the battle (pathetic though as it has been) is lost. Anybody now trying to protect itself will just be classified as a "terror supporter" and that is it. Expect concentration camps to be opened soon.

Re:Not possible

[gweihir]

Enough has been written about the utter stupidity of "plausible deniability". It is almost impossible to be "careful and don't leave breadcrumbs" even for experts. Go land yourself in hot water if you like. But don't say you were not warned.

Re:Not possible

[AmiMoJo]

Recent events don't seem to support that assertion. The Guardian was able to handle the Snowden files without being imprisoned or losing them. Okay, some MI5 goons made a show of destroying a few laptops, and the footage ended up on YouTube and the stories were published anyway.

The BBC's mistake was not protecting their journalist's data properly. If you take precautions, it's possible. In this case, if they had used a live CD so there was no trace, and protected the contract details with encryption the police would probably have been screwed. They could have tried to prosecute for not decrypting, but then there would be a huge legal battle over it, taking years. They only did this because they were able to do it by the back door, in a way that made it hard to resist.

Re:Not possible

[gweihir]

That is the main non-technical problem. The main technical one is that you must not use the cover OS installation to protect the hidden area (which is glaringly obvious) or that the hidden area must be protected against overwriting (which is glaringly obvious).

The whole thing is a smart idea that completely falls on its face when confronted with technical and non-technical realities. Unfortunately, most people are far too much removed from reality to see that and hence live in this fantasy-world where this idea works. Kind of why the evil fuckers that make these considerations necessary were voted into office in the first place: People are generally stupid.

Re:Not possible

[gweihir]

The question was about an individual journalist. If you have an organization large and well-known enough to be hard to touch and somebody with real courage on the top, then you have a chance. But the editor of the Guardian _was_ willing to go to prison, if that was what it took. And that _is_ what it takes in a police state slowly going towards full-blown fascism.

Re:Not possible

[linuxrocks123]

Care to share some links? The only thing I'm aware of that you may be referring to is that the Windows implementation of TrueCrypt has a bug where it doesn't properly exclude the hidden filesystem from search indexing or somesuch. The concept is sound. And if you're using hidden volumes, you really should be using live CDs to inspect the hidden volumes anyway.

Re:Not possible

[linuxrocks123]

Even in the UK, they must prove that there is a key and that you at one point had access to it in the past year. If they prove you had access to the key in the past year, then the burden shifts to you to prove that you no longer have access to the key.

It's a bad law, but don't spread disinformation about it. And the US situation is much, much better.

Re:Not possible

[gweihir]

Don't be lazy, google() yourself. The whole idea is utterly disconnected to reality. Of course there are a lot of bright-eyed morons that think this thing is actually going to help. It is not.

Re:Not possible

[gweihir]

The hidden volume is protected by being inside the decoy volume, which you don't modify after setting it up.

Which happens to be glaringly obvious.

Re:Not possible

[linuxrocks123]

Assertions without evidence are not credible. If you can't or won't support your claim, why are you making it?

Re:How about this...

[gweihir]

That one is true even in budding fascism as the British now clearly have.

Re:How about this...

[93+Escort+Wagon]

Unlike common criminals, try cooperating with the police. You'll be better off in the end for it generally.

Yeah, in this case I'd have to agree with you. According to the article, the police went to a judge and obtained a court order to get the information - so if you don't provide it, be prepared to sit in a jail cell until you change your mind.

I do think these laws are overreaching and need to be rewritten (and rescinded in some cases) - but the police were following the letter of the law here.

Re:How about this...

That's very bad advice sometimes, when it is. You're advocating 4th amendment roullette. Moronic.

It's sad, but can you really trust them?

[DreamMaster]

It's an unfortunate sign of the times, but I've read far too many articles about people being arrested and jailed for unknowingly violating the technicalities of various different laws.. consenting partners under 18 being jailed as sex offenders and being listed for life, insulting heads of state or reporting on human rights abuses, jailed for having cartoon porn / weird tentacle thing stuff from Japan that still gets branded as child pornography, or even for whistle-blowing. And particularly for America, reading in recent times, the attitude of border agents that they're outside the law and no-one has any constitutional rights.. frankly, if you are a journalist reporting about things your government (either American or elsewhere) are doing, you'd be a fool not to have everything strongly encrypted, and give them the leisure to browse through your stuff to find something to charge you with.

Tails and remote storage

[klingens]

On your Laptop there is a normal Windows installation which is not used for work. Only for stuff like browsing the web in the evening at the hotel. mails to the kids, etc.
On a USB stick on the keychain there is a copy of Tails https://tails.boum.org/index.e...
You rent some VPS or root server in a country of your choice, under a different name, preferably paid via cash. This is the place where all the data for work is stored. encrypted.
This server you only access via Tails which uses Tor by default.

If you can't do this, you put an encrypted VM onto your Laptop which happens to have the data for work and you write your stuff or access the web for work related research only in this VM. Again using a distro like Tails.

Re:Tails and remote storage

[gweihir]

The VPS+Tails idea is about the only one that can work. Better write nothing down though and better make sure your tails copy is always current and cannot be tampered with. Incidentally, renting a VPS with cash is impossible almost everywhere, but you do not actually need to. Just make sure it is a country that is unlike to cooperate with your enemy. In addition, better make sure to only work on it via hidden service or it may well get attacked by "hackers" in some routine government-sponsored break-ins.

The encrypted VM is an exceptionally stupid idea though.

Re:Tails and remote storage

To elaborate: encrypted filesystems like Truecrypt store the encryption password in RAM. Virtual Machines store RAM persistently on the unencrypted filesystem. This makes "cold boot attacks" significantly easier to perform.

Re:Tails and remote storage

[gweihir]

Indeed. An that is just one of the problems.

Re:Tails and remote storage

[monkeyzoo]

Correct; so you always power down before traveling. Problem solved.

Re:Tails and remote storage

[monkeyzoo]

Mmm. I was talking about TrueCrypt (or now VeraCrypt) vanilla. I see you meant in a VM environment, so never mind. ;-)

Re:Tails and remote storage

[gweihir]

Oh, and that large, encrypted WM image is not going to raise suspicion? On what planet do you live?

Re:Tails and remote storage

[twitnutttt]

Suspicious?!?
"Of course my hard disk is encrypted, officer. It contains my personal data and I don't want that ending up in the wrong hands if my laptop is lost or stolen."

Re:How about this...

[Teun]

What do you mean, 'budding' fascism?

Have you forgotten in the late 1930's the UK had the largest Nazi party outside of Germany?
And it's leader was a member of the royal family.

Yes I know there is a small difference between Nazism and Fascism.

If you're in Britain

[physicsphairy]

Don't store anything on the laptop. The fact they can legally compel you to provide the means of data access means you are in trouble in every case which they have possession of both you and your laptop. You can either do a really good job of hiding the data or you can keep it outside of where they can get it. How about a remote server a trusted person can deactivate if they hear about your situation?

Re:If you're in Britain

[hcs_$reboot]

Additionally, work on your waterboarding endurance.

Short answer

[overshoot]

Don't have a drive in it. Don't have bits that they can claim to find suspicious. No excuses, because even (or perhaps especially) if they don't find anything on your laptop they'll confiscate it anyway to have the boys back at the shop take it apart ten ways from Sunday.

When you arrive, buy a new drive and load it up. How? Well, if you're visiting a field (or home) office, they'll have a disk image handy for you to use. If there are private bits that you haven't shipped over yet (SRSLY? They travel faster than you do, after all) then you can take them along. The border peeps aren't interested in doing cavity searches on everyone, after all, and short of shredding all of your clothing as well as the rubber-glove treatment they're not likely to find a micro-SD.

Invest in a 4G account

[Teun]

In the UK you can be forced to hand over keys so keeping anything, encrypted or not, on the laptop is a no-no.

Get yourself a 4G account and mail the Veracrypt file to a safe country.

1, 2, 3

[chill]

1. Use Linux for the simple reason you can separate partitions. Create a separate /home partition that mounts on an encrypted removable drive, like an Ironkey.

2. Do all work on the removable drive.

3. Never cross a border with both the laptop and the removable drive. Ship out courier the drive separately and carry the laptop.

This way there is nothing on the laptop to be searched or seized.

There are limits

[FrozenGeek]

to what you can actually do.

You can hide files in a hidden container, you can encrypt files and give the key to someone in a different jurisdiction. But, in the end, if they have you and they have the computer, they will probably get what they want. We used to call it "rubber hose crypto".

If you don't have to bring the data with you, don't. Put the encrypted data somewhere in the cloud and pull it down when you need it. Then purge it from your computer.

SD cards are small and might pass if you are not subject to intense scrutiny. But if they are really looking at you, they will be found. If you don't have a lot of data, consider encrypting it and then use steganography to hide it in some of the files in you iPod.

Assuming you do not keep data on the computer, what you need to do is install apps that will:

• securely delete files
• securely clear swap space

Make sure to clear history, etc.

The best way to store data securely is in your own head.

Install Gentoo

[fredgiblet]

They won't be able to figure out how to make it work, so your data will be safe.

Re:Install Gentoo

[gweihir]

They will just lock you up a few weeks until their Gentoo-expert finds the time.

Re: How about this...

Heh heh. You said what if.

Remember the rubber hose attack

[jonbryce]

The Regulation of Investigatory Powers Act allows them to compel you to hand over any passwords or encryption keys needed to access the data.

Real advice that would piss off 3 letters....

You want to run gentoo hardened. Separate partition for /boot and use full disk encryption with cryptsetup. I'd recommend paranoid high iteration count and using serpent over the official AES. Think of a nice long sentence or two and type it out without using the space bar, then toss a real password at the end of around 10 characters minimum. Do not use USB thumb drives for the key, memorize it as I said above.

Use non-standard use flags and do not use any -O optimization level and opt for safer-but-slower code. Do not use hardware acceleration hooks for encryption, prefer slower software generation (less backdoors/issues from biased hardware). Do not run or use any remote admin tools such as SSH, or if you do generate 16384 bit diffie-hellman moduli on two different machines and use only the ones common in both outputted moduli as your real DH pairs in /etc/ssh/moduli.

Keep the system partition with disk encryption, separate from your small-as-possible directory where you keep the sensitive news items. Known plaintext attacks can assist breaking the encryption behind the system-partition since there's files that *must* contain certain content inside /etc and such. You want your documents to use a separate encrypted mountpoint and never copy any known things there and only put things you write inside that partition uncompressed (again known plaintext).

With the Gentoo hardened GRSec kernel, you will want to use the option to disable any USB devices added after boot as to prevent NSA USB Fobs from being inserted to do DMA-memory attacks. You will never use wireless, always opting for a physical cable. You will never use firewire/thunderbolt/sound and they should be missing from the machine or disabled. Remove the microphone from the system, keep the webcam and tape over it (later you can use it to shed encryption keys from memory upon seeing a fast moving blob approaching when agents raid.

You will never leave the machine out of your sight booted up with the encryption keys in memory. Upon leaving the machine, you should spray a light bit of silly-string over it and take a photo of the unique strands. When you come back compare it and if you spot any differences the machine was accessed while you were away.

Wrap the machine in RF shielding and when doing encryption, run other encryption of the same type in a loop before starting the real encryption to prevent side channel attacks against the Chinese Remainder Theorem (youtube this for a demo of snatching RSA keys over RF leaks).

Never type your password with a cellphone within hearing range or else the keys will be heard and deciphered that way. Put the cell phone in a box like the oven or microwave then go back and type your passwords. Once the setup is complete with the machine, you will never update it and do not use it to get online once setup. Go back to using CDROMs as the input medium and mount it readonly,noexec with the system encryption key unlocked but not the private directory. Reboot after using the CDROM and *then* unlock the private directory and move the files from the system directory over. This way any memory loading/stealing by a hijacked CDROM device won't be resident or have the ability to snag that coveted secret key.

I'd keep going, but I'm afraid I've already said too much...

Re:How about this...

[gweihir]

If you do not, then you are a "troublemaker" and will be treated just the same as a criminal. The police state is violently opposed to any and all resistance and the law does only support them, not you anymore.

Re:Trickery.

[gweihir]

1. (Most stupid proposal so far): That will fail by a simple look-up of the HDD serial number which the HDD reports via SMART command.
2. Ever heard of x-rays? You know, like they use in airports?
3. Lots and lots of forensic tools that can detect that.
4. Uh huh. About as obvious as just ssh-ing to your remote server. Nothing gained at all.
5. Again, x-rays.
6. An have that friend go to jail as a "data mule" instead. Only good piece of advice in here. Utterly immoral though.

Re:Sigh

If the journalist has a home computer, suppose it was left on, with plenty of UPS protection, while the journalist was out of the country, with laptop? Then, shortly before travelling back to the home country, the journalist uses the laptop with Tor or some other secure protocol to upload/transfer critical data to the other computer. The laptop can then be TOTALLY erased --we know programs exist to do a thorough job of it-- such that a fundamental reinstall of all software would be needed, before it can get used again. The erased laptop is, of course, what would be handed over to customs ghouls.

Step by step instructions

[spiritplumber]

1) Make one of these: https://hackaday.com/2015/10/1...

2) Hand everything over. Warn the bad guys that if they try to use your USB stick, it'll fry their computer.

3) When they fry their computer, ask if they have learned their lesson about taking you on your word.

4) Be cooperative. You already won the battle of wits, be a gracious winner.

5) Your data was on your obscure self-hosted webserver elsewhere in the first place.

Re:Step by step instructions

[tommeke100]

Although all these things sound cool, that's a sure way to not get into the country and be charged with whatever they come up with ( destruction of government property, assault - 'cause if that can fry a computer ... , espionage, terrorism, ... ).
If you're on some list you basically already lost. You can play dumb if it's a random check, you boot up to some family pics and some pr0n in the browser history. But if you're a journalist suspected of having some shady contacts and information, you are the weak spot, not your laptop. Because they may not get the info out of the laptop, but they sure can get it out of you. And these guys have training and years of experience in interrogations, whereas it may be the first time the journalist or other is being questioned. They also have all the time in the world, while you may have some planes to catch.

Re:Step by step instructions

[bloodhawk]

The fact you think there can be a step 4 where you are the winner in this scenario is delusional at best. Only a few possible scenarios will happen here and NONE of them involve you winning.

best case, you will be refused entry to the country, have what is the equivalent of a criminal record for travel terms where you now have to declare that refusal of entry and be royally fucked for the next decade where most countries will refuse you a travel visa.

More likely, they believe you, check the device (believe it or not they do take threats of damage extremely seriously) and you are charged for carrying a device with the sole purpose of causing damage. worst case they don't believe you are you are charged with all of the above, plus damage, plus whatever else they can come up with. either way you are likely to spend a period of time in a nice comfy jail.
seriously the ONLY way to avoid exposing data is to not take it with you or any means to access it with it, in today's world that isn't even hard to do, your dumb idea ranks up there with others suggestions of encrypted drives (also a huge no no as you are then in a situation of being potentially forced to decrypt or be in breech of other laws).

You may be compelled to decrypt it anyway

[gotribal]

Back when I was at Kazaa many years ago, I kept all my files in a BestCrypt-encrypted drive, and all sensitive emails were PGP-encrypted. I was feeling pleased - if anyone got hold of my computer, there was nothing to see. But then one day our office was raided in a search discovery order, and all that time spent encrypting things came to naught, if I refused to hand over anything it would have been contempt of court. And so I printed out thousands of emails in one long continuous unformatted strip... that was about as far as I could go. I did consider that I could have gone one step further and used BestCrypt's feature that lets you create an encrypted drive that's actually two partitions - give out one key and all you see is nice set of clean files, plus a whole lot of random bytes. It's something to consider, but you're living dangerously if it's a court order. BTW, there's discussion here about keeping data in the cloud - another tempting option. Broadly the law can compel you to hand over any data "In your control or possession", where possession is defined as including the means to retrieve remote data. So there would need to be zero knowledge of having that remote data at all. Just sayin'

Store nothing

[folderol]

The parent organisation should maintain a networked data store that all it's reporters have a write only password for.
Data is then sent via ssl. No other encryption software of any kind on the laptop.
Absolute minimum of services and a tiny hard drive, with no swap file/partition.
Reporters should only use a plain, single view, text editor that doesn't store parts of a working document to file, and can be made to direct send the data without ever touching the hard drive.

Two Man Control

[tengu1sd]

And for the politically correct, social just warriors, etc. .. man in the sense of person

You carry a laptop, you carry a live boot USB stick/CD, You carry encrypted media, possibly the same as a boot USB. Your counterpart, possibly in another country, carries the decryption key. You carry his decryption key. Never cross an international border together.

These suggestions all suck, IMHO.

[Type44Q]

Personally, I'd perform a persistent install [of the distro of your choice] to a bootable MicroSD card. You can not only boot it up on virtually any PC, there are myriad ways you can throw them off or just plain fuck with them. Hell, really mess with their heads and lug around a laptop with Win9x on it (you don't even need all the drivers; present 'em with one huge fucking list of yellow exclamation marks in Device Manager!).

The bootable MicroSD card you can hide almost anywhere (up your nose, in a slit cut in the sole of your shoe, etc etc).

Re:Trickery.

[overshoot]

Yes, it's possible to find MicroSDs -- if you do a full-up fine-tooth-comb search. Which takes hours and pretty much destroys everything in its path. If you've really pissed off the Powers That Be, they might. Then again, they've probably done the same thing to your office, home, car, and anything else you've been near recently anyway so why start worrying at the airport?

Otherwise, the major danger is that your brand-new Alienware machine looks like it would be better off in someone else's collection and the "confiscation for the sake of search" is just an excuse. Which is why you're better off without it (get another on arrival) or at least leaving the hard drive at home. The MicroSD chips aren't what they're after and finding the one in the heel of your shoe is more trouble than it's worth.

easy

[Anne+Thwacks]

Zip the relevant files, and then change the extension to .odt When people cant read them, they will blame Microsoft! (Or use bzip, or compress or even IBM Squoze)

Re:Store SOME work data in the laptop

[overshoot]

Everyone should have at least a few files that are encrypted random bits. Big ones. Just to make sure that the snoops suffer for being dicks.

security tin a box

[belmolis]

These folks provide advice for human rights activists who want to stay safe and protect their sources from nasty governments: Security in a Box.

micro sd

[luther349]

run a parasent Linux distro like puppy on a micro sd as the entire os is stored in ram. save you data to the sd card they can be easily hidden or destroyed. now the fun part encrypt your entire harddisk with windows on it to make them think your hiding something then make them wast there time getting a court order to hand over the key just to find nothing.

Camera and SD card

[scollard]

Buy a camera that uses dual SD cards, like a Nikon D7000, and keep the card in the camera when moving through security. Store your computer data on one of the SD cards in an encrypted hidden file. Make sure you take lots of pictures and have the camera set to use the cards in mirror mode. No security people will image a camera card. At best they look at all the pictures using the camera. If they do image the card, highly unlikely, all they can find is a hidden encrypted file that you just deny any knowledge of.

Re:Camera and SD card

[Fnord666]

No security people will image a camera card. At best they look at all the pictures using the camera.

If you are an average person then maybe. If you are a "person of interest" then they will image anything you have that they find. Relying on something this arbitrary seems like a really bad idea.

VPN + RDP

[EmagGeek]

Easy. Don't do anything - and I mean ANYTHING - locally on your laptop. Use it as a glorified VPN and Remote Desktop/VNC Client to a PC safely behind your employer's firewall, or at a hosting provider that is in a country with good privacy protections.

Full Disk Encryption

[SwashbucklingCowboy]

With a really long passphrase with weird characters. They'll spend the rest of the natural lives waiting for it to be cracked.

Re:Store SOME work data in the laptop

[Zero__Kelvin]

"If possible, study memorization techniques and memorize what you can."

... if it is not possible for you to memorize what you can, you may suddenly have entered an alternate dimension.

Suicidal.

[westlake]

Survival 101.

Pissing off the border guard.

How the story ends if you "Ask Slashdot."

2) Hand everything over. Warn the bad guys that if they try to use your USB stick, it'll fry their computer.
3) When they fry their computer, ask if they have learned their lesson about taking you on your word.
4) Be cooperative. You already won the battle of wits, be a gracious winner.

How the story ends in the cinematic world.

[Anonymous basement interrogation room]

Wake up! I need you to be focused!
You either give me what I need or this switch will stay on until they turn the power off for lack of payment on the bill.

Which do you think cuts closer to the truth?

Clear Out Files You Do Not Want Exposed

[DERoss]

1. Backup the data files to a single backup file.

  2. Encrypt the backup file using an OpenPGP application (e.g., PGP, Gnu Privacy Guard). Software should not have sensitive data so it does not need to be encrypted.

3. Upload the encrypted backup file to a cloud service whose servers are in a nation that will not respond to a police warrant from the nation whose police worry you.

4. Use a strong eraser application to erase the original files, the backup file, and the encrypted backup file on the laptop.

Let's do the math!

Project Gutenberg has 50,000 books. Each book as 100,000 words.
Each word can be the starting point for 5 keys (5 to 10 words long).
That's 25,000,000,000 keys. Roughly a 34 bit keyspace. Not really
all that great, IF they know that's the algorithm you used to choose
the key. If you drop the e's and they don't know, then their brute
force attack won't work.

Re:Let's do the math!

[AK+Marc]

Then pick a book that isn't English. "Whan that Aprill, with his shoures soote The droghte of March hath perced to the roote" or one that wouldn't be there if they did a Gutenberg match. When it's an all books ever written (like a translation of an Agatha Christie into Spanish I have laying around, or a variety of text books that weren't popular), then it'd be nearly impossible for someone to match it.

Or the words on a Magic The Gathering card.

The entropy is much higher than you'd think. They'd have to know specifically what you used to have a chance, and at that point, they'd essentially have your key anyway. It might be harder to find the edition. But then, http://www.amazon.com/Fundamen... so you can get the e-book whenever wherever you want. Bought, but not on your laptop, read online only, and that's a book with versions, so when they get into searching every textbook every printed, in all editions (including teacher editions), the entropy increases greatly.

Get creative. Get weird. Because they'll not know exactly how you got your key, the keyspace is effectively infinite, even if the keyspace is only 34 bit, if they have your generation algorithm.

Re:Let's do the math!

[AK+Marc]

But the keyspace isn't limited to my bookshelf, but to all books ever printed in all editions, as I could get any one of those tomorrow for my key. It's an infininte keyspace, with a limited lookup table.

Re: How about this...

[slasher999]

I believe you are missing my point here as it appears others may have as well since I've been modded as a troll and someone else posted the "don't talk to police" thing. There is a difference between being polite and cooperative - good things - and volunteering information expecting the police to simply send you on your way, which can happen but is highly unlikely. I'm advocating the former. As in most aspects of life 'polite and cooperative' is generally the best policy, at least at the beginning of any conversation with authority.

Chromebook - two accounts - powerwash

[sl149q]

If you have a Chromebook, have a separate gmail account that looks active (subscribe to some innocuous mailing lists.)

Prior to border simply powerwash the Chromebook and login with the clean account. Nothing to see here officer. The password is 1234.

After you get home, login with your normal account.

Re: How about this...

[slasher999]

Confronting the police by breaking laws in order to protest the laws is, at least in the US, a pointless excercise as the policy neither make the laws nor do they judge whether the laws are fair or even legal. The job of the police is to simple enforce laws that have been made. That is as true today as it was 50 years ago.

Re: How about this...

[slasher999]

Boy I should have proof read that before posting. Several misspellings, but I believe you can get my point.

Don't you can be detained, use remote connections

[RichMan]

Many countries in the world require the ability to search computers brought across the border. You can be detained if you fail to provide access such as passwords.
Do not take precious data with you. Leave the data safely at home and connect securely.
Use secure cloud storage or even secure storage back at home base and connect using a secure VPN.

easy

Get some clunker laptop and pull the hard drive out of it. Build a bootable Linux CD/DVD with team viewer on it. Don't save any passwords IDs, etc. to it. When you're in the field, fire up team viewer to a machine that is safely at home. Work. When done power the machine down. Toss DVD before going to the airport, or keep it if you like to live dangerously. Cops snatch the laptop, has no hard drive they will have 20 questions for you, and they will ask them in a way that usually involving bright white lights, waterboarding, etc. but they will not have your data.

Re:Store SOME work data in the laptop

[Chrontius]

Or, more likely, you're discovering that you bit off more than you can chew, and you're hoping the IRS doesn't want to see last year's tax records again.

Re: How about this...

[arth1]

As in most aspects of life 'polite and cooperative' is generally the best policy, at least at the beginning of any conversation with authority.

Polite and cooperative does not include volunteering anything. Law enforcement employees are not your friends, and will use anything you give them against you in any way they can.
So, yes, cooperate, and be polite, but don't think for a minute that they'll reward you in a positive way for anything you volunteer.

Be especially wary about promises of immunity for testifying as a witness. Unless it's a full immunity in perpetuity (which is rarely given), they can demand that you incriminate yourself and waive your fifth because you have "immunity". Then they turn around and gather evidence for a crime they knew nothing about before, and nail you. They can't use your testimony against you, but they can and will use it as a basis for discovering other evidence.
So don't volunteer anything if you have anything to hide. Not even anything unrelated to what you have to hide.

And quite frankly, who can say with certainty that they have never broken a law - wittingly or unwittingly? In the eye of the cops, prosecutors and judges, everybody is guilty of something. And they are probably right.

How about transporting data in a diplomatic pouch

[Streetlight]

Put your encrypted computer or data store in a diplomatic bag for transport across borders. This may require having diplomat friends at both ends of the chain. Then again, friendly countries may be glad to help if they suspect you might embarrass an enemy.

Re:How about transporting data in a diplomatic pou

[AHuxley]

Even thats getting tricky. In the old days that was a perfect method. But with diplomatic protection now been confused with local embassy staff any convention on is getting weak. A person can claim to be, show id, seek protections but might have already been searched and had data cloned.
Later nice comments about "intake procedures" "arrest" and "appropriate procedures" will be released to the press ie the full diplomatic immunity part vs consular immunity was not found until well after the search ;)

Passphrase from a famous book

[hankwang]

The keyspace is only large if the attacker doesn't know or suspect how your password is constructed. Otherwise: 10^3 possible famous books, 10^5 words (starting positions) per book, 5 possible key lengths, 2 for with/without spaces. This gives you a key space of 10^9 that can easily be brute-forced.

And if they/NSA see you look up the book on your browser, you're definitely done.

Re:Passphrase from a famous book

[Zero__Kelvin]

I don't think you are understanding this but maybe I am wrong. In your , how many keys are in a sinmindgle book?

Re:Passphrase from a famous book

[hankwang]

A single book has 10^5 words. The passphrase is a sequence of 5 consecutive words from the book, so there are (10^5 - 5) possible 5-word passphrases that you can draw from this book. Much less if passphrases must start after a period/comma/semicolon/etc. A bit more if you also allow 4- or 6-word pasphrases. Much less than if you draw 5 random words from a dictionary or book, but that's much more difficult to remember (at least, I won't remember tens of correct-battery-horse-staple passphrases).

Re:How about this...

[AK+Marc]

NAZI is a flawed english transliteration of NSDAP National Socialist German Workers' Party. A socialist workers party isn't a "bad thing" and most people didn't notice it was not a worker's party, nor socialist until it was too late. I have no idea what the UK party was like at the time, but I'd guess they were more like the theoretical ideals, not the "kill all Jews" party. But maybe they were.

The NAZI party was a German nationalist party, why would there be so many German nationalists in the UK?

Re:How about this...

[Barny]

I don't know what I expected. Clicking random youtube links on slashdot is like playing russian roulette with your mood.

About halfway through the first video, very very interesting stuff.

self encrypting drive

[Spazmania]

You guys are aware that self encrypting drives have been readily available for a decade now, right? The bios detects that the drive requires a password and asks for it at book. The password unlocks an internal key used to encrypt the drive. Unless the adversary manages to capture laptop while it's on or in standby, no password = no data.

Re:self encrypting drive

[nospam007]

"You guys are aware that self encrypting drives have been readily available for a decade now, right?"

Yes, and every week there's an article here saying that these suck and that their encryption can be easily broken or circumvented.

Re:self encrypting drive

[Spazmania]

There are FIPS-140 drives whose encryption has been demonstrated to not suck.

As for the ones which do suck... invariable a USB drive or thumb drive. Not an internal laptop hard drive. Read carefully.

Ask Slashdot

[Fnord666]

Timothy - Any chance you could post "Ask Slashdot" stories to the "Ask Slashdot" section of the site? It exists for that very reason you know.

Re:Simple solution

[gabrieltss]

Except everyone is considered a terrorist in the governments eyes. So we are all F***ed!

Macs are pretty secure

[chriswaco]

Turn on FileVault to encrypt the drive. Set a firmware password. Make sure there are no guest accounts. See https://support.apple.com/kb/P... and https://support.apple.com/en-u... . Turn off iCloud and don't enter an AppleID. Use an encrypted text editor on top of this with a 3rd password. This won't stop the NSA, but will stop most hack attempts. Putting documents on an encrypted SD card is not a bad idea.

is the just a window problem

[skelley]

using a mac+filevault2+bootprom password should cover you

Re: Securing your laptop? Only one way... VeraCryp

[monkeyzoo]

VeraCrypt whole disk encryption. (Successor to TrueCrypt.) Duh!
Make sure it's powered off when you're traveling, and avoid malware infection. Then, you're all good.

If you're worried about compulsory password requests, then things get a bit more complicated. You can use the plausible deniability feature of VeraCrypt to accomplish this, but deniability also requires rigorous adherence to modified computing practices.

Re:I'll continue to use TrueCrypt, thank you.

[monkeyzoo]

Thank you for exposing a privilege escalation backdoor to your system through the TrueCrypt driver.

The holy trinity of the new economy

[smugfunt]

To prevent the collapse of Western Civilization due to complete automation and unfettered rent-seeking we need to institute these three policies:

Universal Basic Income which will replace most forms of welfare. However, this will not work without...

Land Value Tax based on the rental value of land not including any improvements. This will replace most other forms of taxation. For this to have the desired effect we also need...

Full Reserve Banking which will remove the ability of banks to create money and then charge interest on it.

Private natural monopolies and every other form of rent extraction must be hunted down and neutralised.

If we don't do these things the booms and busts will continue to ratchet up wealth inequality until the economy collapses and the peasants revolt.

Don't take a laptop

[sjames]

Don't take a laptop, just an install DVD. When you arrive, pick up your pre-arranged rental laptop and install your image from the DVD. Use that to download the rest from home. Then work normally.

When you're ready to leave, upload everything over the net and use the DVD as a rescue boot so you can wipe the drives. Return the laptop and shred the DVD.

EFS? Really?

[BrianMahoney1357]

I would strongly suspect that EFS has have a backdoor that Microsoft would give up immediately upon request. Same for any and all cloud storage. Also, Windows 10 is offered for free which means that someone else is paying Microsoft for the data that this OS collects by default. It's like "Here, take this free stuff so we can keep track of everything you do." Has Microsoft ever given away anything for free? Not that I can remember.

Obligatory (and not at all funny) xkcd...

[rocket+rancher]

the weakest link in any security system is the flesh and blood one...

Re:How about this...

[david_thornley]

Actually, Nazi was a derogative nickname for the party (there was a comparable nickname, Sozi, for a left-wing party). It was used in Germany, but not by Nazis, who always used "National Socialist". I would suspect it was a lot less used after 1933.

In the UK? Not much, legally.

[StikyPad]

The UK can compel disclosure of a password, with up to 2 years in jail for simply refusing to comply.

https://en.wikipedia.org/wiki/...

TrueCrypt could provide plausible deniability in theory, but the difference between theory and reality is often smaller in theory than in reality.

Re: Securing your laptop? Only one way... VeraCryp

[pnutjam]

Just load your laptop like usual, and run your vm from inside an encrypted veracrypt folder. Put another vm with some games (so you have a reason to have the vm host running). Most investigators won't spot the vm's, most of the ones that do, won't spot the encrypted ones. The ones that do spot the encrypted one, won't be able to get into it.

Re: Securing your laptop? Only one way... VeraCryp

[monkeyzoo]

I wouldn't do that without also encrypting the host OS's whole disk with VeraCrypt in case the passwords leak out of RAM onto disk unencrypted.

Re: Securing your laptop? Only one way... VeraCryp

[pnutjam]

I would say that's unnecessary for 99% of use cases, and defeats the purpose.

Re: Securing your laptop? Only one way... VeraCryp

[monkeyzoo]

I would say that's unnecessary for 99% of use cases, and defeats the purpose.

Hi pnutjam. That was my thought about the VM solution actually versus plain whole disk encryption. ;-) Is the use case you're worried about the plausible deniability requirement? Apart from that, do you see a use case that makes it preferable to go this route and install a VM instead of just using whole disk encryption?

On the plausible deniability front however, your suggestion seems pretty interesting; definitely sounds simpler to use an encrypted container with a hidden volume than an encrypted system with a hidden OS.

Re: Securing your laptop? Only one way... VeraCryp

[pnutjam]

Well, the problem with just a hidden container, is that you often don't realize where things are being written by programs you use. It's easy to end up with something in an insecure location, or sitting in you hibernation or suspend file.
With the whole OS encapsulated, you can more easily contain it. You can also have it use a vpn or tor network, so the main pc can't listen to it's traffic.
The only big problem in this situation, would be keyloggers, or some sort of malware that is taking screen shots periodically. You can guard against key loggers by using an onscreen keyboard, but the other is something you will have to avoid with opsec.

Re: Securing your laptop? Only one way... VeraCryp

[pnutjam]

In regards to whole disk encryption, I think that is great also. However, it's still difficult for your average user. I think it's more common and less of a red flag now.
My problem with whole disk encryption is that it's usually integrated into the logon. You just need to leave your pc running, and it's defeated.
I think the separate vm provides a sort of reminder and encourages you to be more conscious of operational security, which is where most people screw up.
I also like the portability.