Securing Your Notebook Against US Customs 1021
Nethemas the Great points out a piece from Bruce Schneier running in the UK's Guardian newspaper with some tips for international travelers on securing notebook computers for border crossings. A taste of the brief article:
"Last month a US court ruled that border agents can search your laptop, or any other electronic device, when you're entering the country. They can take your computer and download its entire contents, or keep it for several days. ... Encrypting your entire hard drive, something you should certainly do for security in case your computer is lost or stolen, won't work here. The border agent is likely to start this whole process with a 'please type in your password.' Of course you can refuse, but the agent can search you further, detain you longer, refuse you entry into the country and otherwise ruin your day."
Re:Dual Boot (Score:1, Insightful)
Yup (Score:5, Insightful)
The sad thing is that citizens think this idiotic idea of checking laptops at airports serve any kind of law enforcement objective other than generalized panic and further diminishment of democratic values such as the right to privacy.
This is your government fucking people up (and "people" can be foreigners or locals entering the country), attempting to find in informations traces of delincuent activity that, if youre a two bit moron you know you can save it anyhow, in a mostly anonymous fashion on google's, yahoo's or microsoft's servers for free, and any number of services that are available today.
True criminals simply have huge botnets and hidden servers behind the huge pr0n/spam nets and they DO NOT carry incriminating evidence with them and EVEN IF THEY DID, how in hell is a custom's agent going to find them?
I mean, i have a better solution than that of bruce: change your initab so initdefault is 3, make sure that that level does NOT turn on the wifi card or any networking at all, change your shell to ASH (hopefully temporarilly) and let them have the root password, who cares.... good luck, mister customs agent.
A naive suggestion (Score:5, Insightful)
The downsides? You probably won't be able to work in the airplane, but is it worth it now that the Customs are being so much trouble?
Re:Dual Boot (Score:5, Insightful)
If they want to clone your hard drive and disassemble it later, your secondary boot OS is going to stick out. Not that it is unusual for anyone to have more than one OS on a hard drive, but it won't be hidden. Remember, they essentially have physical control of the computer. "They" win. Unfortunately, it comes down to 1) security by obscurity or 2) nothing to hide.
Roll up your sleeves and bend over.
One more reason not to fly. (Score:4, Insightful)
CF/SD cards? (Score:3, Insightful)
Re:Not enitrely true... (Score:3, Insightful)
Otherwise what you're saying is that they have the right to search it, you have the right to refuse, and they have no legal powers to try to enforce their right - in other words, they don't have the right at all.
Re:Dual Boot (Score:2, Insightful)
I tend to be rather busy when on business travel (Score:1, Insightful)
Boss: WTF???
Re:Dual Boot (Score:5, Insightful)
if you are a known individual (person of interest) and you expect to be stopped at the border, don't carry sensitive material with you. Hell, just mail a flash drive.
Re:Not enitrely true... (Score:5, Insightful)
I have been denied access to countries for less than not providing a password. They can pretty much turn you away because they feel like it.
Not dual boot; the network IS the computer (Score:5, Insightful)
Re:Yup (Score:3, Insightful)
I'm as libertarian free-rights paranoid as the next slashdotter (while not quite), but a healthy dose of history here. Customs, border crossings, etc. have never had anything to do with democratic values, check out all your local 17th century smuggling legends sometime. There's never been anything there to diminish.
Picking battles, I'd concentrate on what happens internally, domestic flights, internal travel, etc. and not worry about this one so much (cue "thin end of the wedge" argument).
Re:TrueCrypt (Score:5, Insightful)
If you're going to carry stuff over the border you don't wan't The Man to look at, put it on a thumb drive and attach it to your keys.
Re:Yes it will work. (Score:3, Insightful)
Furthermore, you could also make TrueCrypt portable on XP, putting it, and possibly even your encrypted volume on a USB Key. Include this with a simple file rename and extension change and you'll have hidden encrypted content.
Re:Dual Boot (Score:5, Insightful)
Sounds like a small price to pay in order to protect my right to liberty. Just because the government demands access does not mean I have to comply.
Other people have paid a far higher price for liberty ("the full measure of devotion" aka death).
Re:Problem? (Score:3, Insightful)
However, I advocate cooperation simply because conniption causes more porblems than it solves. I would protest this however I could, legally, by picketing or voting or radio station callins.
Just because it's wrong to buck a system doesn't make the system right.
We have a bill of rights for a reason, and getting all panicky and security crazed is just going to let someone powerful step in and take over.
If you give up your freedom, you invite a tyrant. Trusting the government to do everything right only works with saints, which humans most definitely aren't. It's why we have checks and balances.
Simplest solution. Canada (Score:5, Insightful)
Re:Problem? (Score:2, Insightful)
The problem is that it is plan and simple grab to take away our rights under the 4th amendment without any probably cause or do process.
Not to mention that it does NOTHING to improve the security of our borders.
And it is seemingly becoming the new standard by which TSA agents get laptops for friends and family members. Confiscate the laptop, telling the poor smuck that it will be returned shortly after the disk is cloned for professional examination. Voila, laptop never comes back.. lots of cases and complaints on file of this particular situation.
Principles (Score:3, Insightful)
And it does not necessarily have to be work related, or something proprietary that can be stolen and sold for cash. Perhaps it is embarassing information on the person, private pictures of family, or something else that is legal and legitimate to keep private. If you have no problem forceing big brother on yourself, that is ok. That just doesn't work for everybody...
Re:Not enitrely true... (Score:5, Insightful)
This amendment exists to protect citizens from a government that may object to the content they create or possess. Maybe someone can explain why the act of entering the country nullifies my constitutional rights.
Re:Dual Boot (Score:1, Insightful)
With a criminal record, after being detained by customs, you'll have a tough time finding a decent job. Your life will be hard at the border crossing, but it will be for many years afterwards as well.
Re:This is why you make sure... (Score:4, Insightful)
I personally would use the tubgirl "taste the rainbow" picture as a desktop icon. You need to use both a disturbing visual, and a (semi-common) catchphrase that will trigger that visual to further torment them.
Re:This is why you make sure... (Score:2, Insightful)
Re:Not enitrely true... (Score:2, Insightful)
This is why the recent supreme court ruling matters, even if the GP doesn't know it. They ruled that computers files are not your papers. Silly I know, but that's why they can search.
Re:One more reason not to fly. (Score:4, Insightful)
Re:Problem? (Score:5, Insightful)
First, I'm not American. I have visited but these incidents literally remove the country from the list of viable or "safe" foreign countries I could travel to.
"I carry corporate source, designs and some customer data on my laptop. Yes, it would be a problem if it were made public. I encrypt it, but do not hide it. I see no reason that a border guard, a TSA guard or even the (whisper) NSA would choose to give it to a competitor if they had it."
-Several thousand dollars.
- Industrial espionage.
Even in the UK, some staff at airports have been caught selling on items stolen from baggage, there's nothing to stop a corrupt official doing so. By giving them to ability and "legitimate" reason to search ANY laptop for ANY reason, it's inviting problems.
- A letter from Microsoft offering a reward for non-licensed or pirate software.
- Anything that could accidentally tag you as a terrorist.
Customs officer browsing through my web history: You read wikileaks lately? We'll have that as evidence of, in your own words, being an anarchist.
- THIS POST. Say I took a laptop with a copy of my posting history to slashdot to the US... they could EASILY use this very post against me. Evidence of "wanting to avoid customs" or some such rubbish.
"What's the problem here? Is this a matter of principle or is there something to hide?"
Neither. It's my data. You have no right to go through it without reasonable suspicion FIRST. And then in a certified, supervised way to ensure you keep within your stated use of the data. No other civilised country in the world currently does this and the UK has been dealing with terrorism for FAR, FAR longer than the US has (a UK airport security expert was told that he was "being paranoid" before 9/11 when he visited a US airport and complained about their lax security - within days he was on BBC News recounting the tale because 9/11 happened).
My workplace cannot even throw a hard drive out with having it professionally destroyed, whether it's been exposed to confidential data or not. What makes you think I can let a customs officer copy it without MASSIVE assurances of everywhere the data could end up? The chances are I'd be in a questioning room while all the copying was going on.
"Consider how important your data is to a customs official. News flash: I'd bet a lot that they don't give a rat's ass what you've got, as long as it's not illegal. If it's illegal, then the problem is totally different and you have no right to complain about it."
Define illegal. I think you'll find it depends on jurisdiction, for a start, and includes such things as data protection laws. This is the problem.
As a business, I would be required to NOT TAKE SOME DATA into the US because of this - UK and EU data protection laws means that I *can't* let anyone see it, whether or not it's "secret". If your salesman is going to have to break British law to make a sale in the US, then he's not going to GO to the US. Or he'll have to take the steps mentioned in this article.
Say my office gave me a laptop with copy of Windows that was installed from a pirate key... that's "illegal". I could get detained *without reasonable suspicion* and possibly convicted because of that. Say I *don't know* the password to an "encrypted-looking" file on the laptop (like, I don't know, say a database contained within a business program accessed only by Word macros or company-created utilities - I have seen many such systems loaded on laptops for employee use). I'm detained until I release it.
It's not that I have anything illegal under US law - the US is not the world, though. Things that the US does are considered illegal in other countries. Let's not go too far down that avenue because it's just too easy to get into country-bashing.
It's that the US customs have no reason to demand inspections without reasonable suspicion. They certainly s
Re:Not enitrely true... (Score:5, Insightful)
I would say that most sovereign nations have the power, not the right, to control who and what enters the country.
Re:Yes it will work. (Score:3, Insightful)
You should also put something mildly embarrassing in the shadow drive. Something so that when the customs dude sees it, he can construct a plausible narrative of why you encrypted it. Naked pictures of a girl who could be your girlfriend (but definitely looks over the age of majority in the country you're flying to), steamy love letters that aren't over the top, evidence of a fake affair. Nothing illegal, just "improper." Bonus points if you blush when the customs agent sees them.
Re:Dual Boot (Score:5, Insightful)
Being detained by customs does not give you a criminal record. If you're a non-citizen, it may indeed cause trouble in entering the country again. To get a criminal record, you must be tried and convicted of a crime.
Re:Yes it will work. (Score:2, Insightful)
Luckily, that doesn't matter one iota. Hidden volumes in TrueCrypt are specifically for this very reason. Assuming you admit that you use TC and show someone the contents of the "dummy" volume, there is no way for someone to determine the existence of the hidden volume.
We have arrived! (Score:5, Insightful)
We are discussing "hiding legal and unincriminating" stuff so that we don't get hassled by government police. We have gone far beyond the "if you don't have anything to hide, you have nothing to fear" argument where now, even when you don't you have plenty to fear... in this case, potential loss of ability to work!!
They have been going too far for a while, but this is a point at which even the most common person can appreciate and understand the problem with this.
If the EFF were buying "public awareness" ad time on TV, radio and print (I haven't seen any if they already are) I'd donate $100 each month from now until "we've won" whatever that means. I'm sick of this.
Re:Not enitrely true... (Score:2, Insightful)
Whaaa? So the Constitution doesn't apply to me as a US citizen is what you're saying? I thought the constitution applied to citizens, not a place.
So apparetly it only applies to people on US soil? With the way things have gone lately I guess it shouldn't surprise me, but it does, or more disappoints me.
That said, I've never had issues coming back through customs. They've never even glanced at my laptop let alone asked to handle it.
Re:This is why you make sure... (Score:5, Insightful)
No shit, Sherlock. That's sort of the point.
If nobody ever stands up to this kind of bullshit, even in these kinds of small ways, it's only going to get worse and we're *all* going to spend a lot more time in tiny cold waiting rooms whenever we try to get anything done.
Re:Not enitrely true... (Score:5, Insightful)
Try not to confuse 'legal fictions' with reality
Re:Not enitrely true... (Score:1, Insightful)
US border cops are not subject to oversight. Decisions are final and can be based on their gut feel. Unless you're an international big wig and can pull some strings with the ruling US gov't, you're out of luck.
I have seen at least a half dozen people arbitrarily get taken into the strip search room at the Peace Bridge in Buffalo. And this was before 9/11.
Obvious solution (Score:4, Insightful)
Suspiciously unsuspicious (Score:3, Insightful)
Aye, there's the rub.
Most files CAN be distinguished from random data. If not outright human-readable (text, XML, etc.), they start with header data which can be visually recognized with a little experience. File sizes are predictably reflective of the directory context. Browsing the rest of a file's content usually reveals non-random components.
TrueCrypt claiming to be indistinguishable from "random data" is kinda like the hotel security guy who was checking out my activity when I was bored (playing with video camera menu settings, waiting for someone) in a hotel lounge. It was obvious he was hotel security because he didn't have any official-looking paraphanalia AND was dressed in "I'm trying to blend in but don't know how" attire. It was obvious he was checking out my activity because he wandered close, looked around like he was looking for someone, and left - when there was absolutely nobody else in the lounge. And from his "I'm not hotel security, no really" dress & demeanor, I knew something would come of it - manifest a few minutes later when the Federal Marshals showed up.
A TrueCrypt file (or partition) hits the "uncanny valley" realm: it tries so hard to blend in that we become keenly & deeply aware that it doesn't; the deep-seated human mechanism for sensing "something is wrong here" kicks in.
It stands out precisely because it so completely doesn't.
Re:He used tinyurl for a link, WTF? (Score:2, Insightful)
See TinyURLs are evil URLs [blogspot.com]. Why does the URL length matter when linking on the web? For example, the link above has a fairly long URL, but it's not a problem. There's no reason to use a URL shortening service for links on web pages.
The reason such services should only be used where actually necessary, like in print or when verbally relaying a URL, is that they are a good way to hide the site. By using them unnecessarily for web links, users become less wary of them, making it easier for malicious uses. It's the same reason banks and similar entities should not send email with links to their site.
Re:Not enitrely true... (Score:5, Insightful)
America is just now doing this? I was returned from Canada and they searched my luggage, laptop, read private conversations, opened letters all cause i was going to be staying 2 months which was too long of a vacation/job for them apparently. The guy was just a prick and didn't want anyone taking jobs. Canada is terrible for this but on Slashdot everything is the big bad USA. I'm so sick of the slant on slashdot. All countries do this its their right to refuse what type of people in their country. Some agents turn away illegal Mexicans cause they're scared of them taking jobs, some customs agents dont like the idea of a foreigner getting paid more than them.
Re:This is why you make sure... (Score:1, Insightful)
Re:This is why you make sure... (Score:5, Insightful)
Re:Corporation Lawyers (Score:2, Insightful)
Once you pass 6 years old, please stop trying to sell that "I'm just swinging my arms and if you run into them that's your own fault" BS. Eesh.
Security through Obscurity requires Good Camo (Score:5, Insightful)
What is this, people? Waving flags screaming "I'm hiding something!"
If I actually had something to hide, say, key NDA-restricted docs, and I HAD to carry them on me, I wouldn't put up red flags like obvious encryption or a partition with some weird-ass hippiecommie suspicious linux install. If you want to fly below radar, you need stealth.
First: a vanilla install of windows or macOS. Standard business apps, standard documents folder with typical usage, such as correspondence, presentations, expenses, etc.
Second: family photos. Friends on vacation, etc. Make them more than typical: lots of them, and innocuous. If you're too straightlaced to keep personal stuff on your computer, that's suspicious too.
Third: on a different computer, encrypt your files with decent encryption, AES or something, using strong password. Make sure the file name isn't interesting. Doesn't matter, if a professional gets the files, they'll be cracked; the point is to keep them unobserved, so this part's kind of optional.
Fourth: mask them inside innocuous files like the photos. Transfer them to your laptop. Now you're camouflaged. Smile, respect, make eye contact, be naturally a tiny bit nervous but with nothing to hide.
The secret to security? don't get caught.
[/theory]
Re:Dual Boot (Score:4, Insightful)
sorta.
Unallocated space wouldn't be filled with high-entropy random bytes. That's a tip-off that it has encrypted data.
Of course, you certainly have deniable plausibility there.
Re:Dual Boot (Score:3, Insightful)
Well, it's a question of whether or not "later analysis" is something you wait in line for, or something that happens later when you're already through. As long as you get through relatively unmolested, and with your machine, it's not too bad if they later want to spend their time detecting that personal secrets might have been present, and then try to crack AES -- all on their own time while you're not waiting and missing your connecting flights, appointments, etc.
As long as the machine appears to be "normal" to a superficial peek, you win. Their only countermeasure is to quarantine every entering machine for a few months, while they spend a few hundred (or thousand?) dollars (per machine) to examine them -- just to see if there's anything further to look at. Then they can mail you a letter if they want your key. In other words, the countermeasure would be so intolerable that the public wouldn't stand for it and Congress would have to take away the power.
Anything, really. As soon as bribable officials have access to your browser's password manager database or your email reader's stored login credentials, the risks resulting from the resale of the information, are so broad that there's simply no person who doesn't have something to be concerned about.
If we give the government all our data, everyone loses, except the bad guys that they're supposedly protecting us from.
Very BAD advice... (Score:4, Insightful)
'If someone does discover it, you can try saying: "I don't know what's on there. My boss told me to give it to the head of the New York office."'
Never ever lie to customs guys. If they ring your boss and he denies it, or if you later change your story and say "oh yes, that's really all my files", or if you can't instantly give the address of the fictional 'New York office', then you better start relaxing in preparation for them gloving up to see if you are hiding any other memory cards.
Same with hidden partitions. If, by sheer bad luck, you do encounter a tech-savvy customs guy and he says 'have you got any hidden partitions on here?', say 'Yes'. Better than saying 'No' and having them find out later.
I'm not saying roll over and give them everything - you have rights - just don't lie.
Re:Dual Boot (Score:5, Insightful)
But otherwise, yes, you're right.
Re:This is why you make sure... (Score:3, Insightful)
I guess the trick is to help make everyone a POI. Do all that crap to everyone, and 10 people will be able to enter the country per day. Then someone in power with some sense -- no wait, let's be realistic: someone in power who is tired of getting thousands of complaints per day and being the subject of a TV news show every week -- will say, "fuck it, we have to stop doing this. I just got into government for the drug and 'escort' money; I didn't run for office to be ridiculed and impeached all the time. I have a meeting with a rich industrial lobbyist in 20 minutes, and those '60 Minutes' reporters are still here in my office, asking me what my response is to the recall petition. *sigh* Julie, get me Senator Disney on the phone. We need to talk about a bill that dissolves customs. I can give him 20 more years tacked onto copyright, if he'll support this for me."
Re:Dual Boot (Score:3, Insightful)
Put It Elsewhere (Score:3, Insightful)
Put one in a camera. Leave a whole bunch of inane pictures of it.
Use the second one as your main file store. At $20-25 for a 4GB card, they're cheap. They're also 15x11mm, so small you'll "lose" them - oops - in your checked luggage and are never going to be spotted by a bored inspector, that barely graduated highschool, watching hundreds of thousands of large bags going by.
Alternatively, stick it in a GameBoy DS. They have SD readers. Look utterly bored as you wander through, in flight toy in hand. Odds of their bothering to inspect a children's toy and find something that looks like it's supposed to be there anyway, are next to zero.
At customs, look bored, hand over your largely empty laptop and meaningless digital camera.
Let them copy off anything they feel like. Don't fight it. Don't complain. Let them think they've got everything.
Once you're back on the other side, put the other card back in, get access to your files again.
No, it won't stop them if they're utterly convinced you're a terrorist. They'll take everything apart and will eventually find that tiny thing. The abusive copying of anyone's crap, with no grounds for suspicion, is going to leave them copying junk that means nothing to them. There's simply no time to search everyone to the degree they'd find the few people with a MicroSD card. And, even if they do, it's a totally legitimate thing to do so you can claim total ignorance.
4GB should be plenty for most trip type info. Sensitive business docs should easily fit in to that. If you store porn on your laptop, leave it on an external drive at home for when you get back. If you really must have some with you, if you need more than 4GB, it's time to admit you've got issues.
Re:Not enitrely true... (Score:3, Insightful)
They have no right to detain you for not showing a receipt. You have no obligation to show a receipt. The worst that can happen is that they ask you to leave, something you were obviously doing anyway. If you really piss them off, they can tell you to not come back. But they can't hold you, charge you, ask you for identification, or anything else of the kind (well, they can ask for whatever they like, but you don't have to comply with any order or answer any question). They have to have evidence for that, and being an ass isn't evidence of anything other than a poor upbringing.
Shit, it can even save your life, imagine if the guard guy was just about to go postal and decides that you are the straw that broke the camel's back and decides to fill you with pieces of lead.
Yes, I should live my life like everyone is armed and willing to kill if I don't do everything they say. Even if, like the guards at Wal-Mart, they aren't armed.
Re:Suspiciously unsuspicious (Score:2, Insightful)
The hidden volume that you set up is then within the the empty space of an existing Truecrypt volume. Nobody can tell without having the key whether there is a hidden volume or not since it looks exactly like the random data that the empty space was initialized with.
Re:TrueCrypt (Score:3, Insightful)
Re:Pussies (Score:2, Insightful)
You go first, we'll follow your example.
Solutions (Score:3, Insightful)
1. When conferences are being organized, avoid US sites right there in the planning stage. (This is already happening in my field.)
2. When travelling to a US conference, travel with a blank default install Windows or Mac box with no personal or private data on it at all. Do not carry any form of data with you (whether encrypted or not). If it is necessary to access private data, do it over an encrypted connection to the non-US based home server using a terminal session. No data is stored on the portable computer. If the hard drive is seized, there is nothing to get. (This is the solution being used by local doctors and lawyers travelling to the US where there are no privacy laws.)
Anything on your person when travelling to the US can be seized and you can be forced to give any passwords to anything encrypted.
Obama bin Laden must orgasm every single night at how spectacularly successful the 9/11 attacks were. It has to be the greatest success story of any kind thus far in the 21st century. Hate the guy all you want, he got everything he could ever want and then some.
Re:TrueCrypt (Score:3, Insightful)
So unless you're suggesting that anyone using Truecrypt, for any purpose, will be detained indefinitely, it seems like a pretty solid bet.
Heavy travelers (Score:1, Insightful)
You can either set up a flash drive (or even an MP3 player), giving you data portability and even applications and file security if you set it up. But the best solution is to use a mobile device, like a Blackberry (I refuse to recommend the iPhone until the device has SOME form of security on it, obscurity is not security). You could also try Palm or Windows Mobile, but those seem to be more trouble than they are worth.
The TSA drones are lucky they can figure out how to tie their shoes, so I'm sure telling them it's "just a phone" won't be much of an issue.
Re:We have arrived! (Score:4, Insightful)
The TSA is not the government police doing the searches and seizures -- that would be Customs. TSA does not carry guns... Customs does.
Paranoia is fear without basis in evidence of common practice. I would say there is ample evidence of common practice. Unless, of course, you call it paranoia that a speeder would be afraid he might get a ticket for speeding. In this case, the fear is based on previous examples of such unreasonable searches and seizure. In all other areas of law, this would be warrantless and identified as a fishing expedition. It is amazing that this practice has passed a court ruling in its favor.
I'm going to leave the country in a couple of months and let me tell you, I plan on installing a new hard drive in my laptop with only the bare essentials installed on it leaving everything else at home. That's really not enough, though. If I were to be targeted by either my own government or a foreign one, I am hopeful that I can convince them to just take my hard drive and leave my expensive computer in my custody. I can't just buy new machines when some jerk decides to hold onto it for an undetermined amount of time. We're talking about expensive gear being taken without cause of suspicion and no accountability.
I'll grant that I've never actually even been hassled by Customs before. In fact, my last three trips out of the country and my last three returns have been completely hassle-free and neither the US TSA or the foreign country's security screeners even opened my luggage or checked my carry-ons beyond an ordinary scan. But with what's going on, can anyone really count on not being hassled or having your gear taken?
And I sure as hell don't want to have to resort to cloak-n-dagger crap just to appease screeners who have never seen Linux before.
Re:Dual Boot (Score:1, Insightful)