Whitehat Hacker Moxie Marlinspike's Laptop, Cellphones Seized 484
Orome1 writes "The well-known whitehat hacker and security researcher who goes by the handle Moxie Marlinspike has recently experienced firsthand the electronic device search that travelers are sometimes submitted to by border agents when entering the country. He was returning from the Dominican Republic by plane, and when he landed at JFK airport, he was greeted by two US Customs officials and taken to a detention room where they kept him for almost five hours, took his laptop and two cell phones and asked for the passwords needed to access the encrypted material on them."
Re:First Post (Score:3, Informative)
Link to longer article at CNET (Score:5, Informative)
Link to longer article at CNET [cnet.com]
Re:First Post (Score:3, Informative)
uhh, customs and TSA have nothing in common.
Other than they are part of the same organizational chart [dhs.gov].
Finishing the story (Score:5, Informative)
took his laptop and two cell phones and asked for the passwords needed to access the encrypted material on them.
Really, why try to sensationalize a story by omitting its outcome?
The fact that something as diriculous as "incoming data storage devices searches" even
exist should be enough of a story by itself, and that has been known for quite a while.
Re:4th (Score:1, Informative)
This has been litigated to death, and searches at the border, essentially without limit, have been deemed reasonable. Indeed, for a little bit inside the border, the same applies.
The constitution is pretty vague. (Score:5, Informative)
The constitution only protects against "unreasonable" search an seizures, with unreasonable being up to the interpretation of the courts. Border searches have long had a broader definition of reasonable (since the very first session of congress), and are not limited to safety and contraband. FindLaw has additional commentary [findlaw.com] on the issue.
Re:First Post (Score:3, Informative)
Once again, Customs is a legitimate and competent part of the government. The TSA is neither. Yes, they both fall under DHS. However, the Army Corp of Engineers and the NSA both fall under the DOD but are very different. Further, the TSA and Customs are regulated by different parts of the CFR. 19 CFR for Customs and 49 CFR for TSA. As in, you're wrong.
Re:Hidden volumes? (Score:4, Informative)
He could put the contents of the hard drive on a webserver, wipe the hard drive clean, then download the data once in the country.
Re:4th (Score:3, Informative)
This has been litigated to death, and searches at the border, essentially without limit, have been deemed reasonable. Indeed, for a little bit inside the border, the same applies.
Here, in the USA, "a little bit" means 100 miles (160.9 kilometers) inside the border... 2 out of 3 Americans live within 100 miles of the border; No, it does not matter if you have crossed the border or not many of your constitutional rights are null and void in this zone [privacydigest.com].
Re:4th (Score:5, Informative)
No, the authors of the constitution didn't anticipate everything. But they anticipated quite a bit, and that includes unanticipated technology and social issues. In order to give the government the ability to deal with change, the constitution contains article V, which is the portion that outlines the procedure for amendment. Excepting amendment, they expected the constitution to be followed. Not "interpreted."
Our government, however, has fiddled its way into a situation where it does whatever the heck it wants. Make no law? Let's make some law!!! No state religion? Let's print Christian stuff on the money, carve it into buildings, sing it in the anthem, and best of all, use it in the courts for swearing... that'll teach 'em. Shall not infringe? Yay, let's infringe! Regulate among the states? Let's regulate IN the states! No ex post facto laws? Oh *heck* no, we GOTTA make those! Enumerated powers? Nah, let's just do anything we want, the heck with that! Warrants to search? Um... only in the interior of the country. And even then, maybe not. Probable cause? That's the same as "We like to grope", isn't it? Sure! No double jeopardy? Oh, that's easy, we'll just toss them back and forth between the criminal and civil court systems, they'll never figure that one out! Trial by jury? Same as "Lock in closet indefinitely, no lawyer, no phone call, innit?" Cruel and unusual punishment... yeah, what was that awesome torture we hung the Axis defendants for using at the war crimes trials? Oh yeah, water-boarding... let's do THAT! (and let's not forget we have rendition to play with, either.) Excessive bail shall not be imposed... heck with that, we'll ask whatever we want! Powers reserved to the states? Bwahahahaha. Oh, and the article III kicker... judicial power in constitutional cases: nah... let's just Make Stuff Up and skip that whole article V inconvenience.*
(*) It should be noted that the USG has steadfastly avoided violating the 3rd amendment, and should certainly be commended for its restraint in this matter.
Here in the US, we have government that has usurped powers far outside the explicitly authorized bounds. And that most certainly includes the judiciary.
In the end, it turns out that what the authors of the constitution wrote matters very little in our current legal system, because that document is treated by the government as barely relevant at this point in time, and even at that, only when it is convenient. Otherwise they ignore it, make things up, or simply plow ahead regardless.
Re:Hidden volumes? (Score:3, Informative)
TrueCrypt [truecrypt.org] because it works [slashdot.org].
FTK, PRTK?
Pffft, The FBI knows about those, and still didn't crack the TrueCrypt volume.
Re:The constitution is pretty vague. (Score:5, Informative)
No, the constitution protects against unreasonable searches and seizures, and then it specifically defines what that means: "no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
The idea that the definition of unreasonable in this context isn't clear and present is a myth that is instantly dispelled if you simply read the 4th amendment. It's right there, plain as day.
It probably is (Score:3, Informative)
Problem is it is going to have to get tested in courts, mostly likely the supreme court, and that takes time. Searches at the border themselves are completely legal. That has been established long ago. You have no expectation of privacy there, and the government has a right, and duty, to secure its borders. However the idea behind this was searching for contraband more or less. A regular search. The whole "copying your entire harddrive" or "taking your computer and not giving it back for months" is not something that was considered because such devices weren't around.
Well that being the case there's three ways this could change:
1) The president could order it stopped. Even if the government does have the authority, they don't have to exercise it. However the whole thing started with the executive and it is pretty clear the president has no wish to put a stop to it.
2) Congress could pass a law stopping it, or more generally defining what is and is not allowed in border searches. Pretty clear they are not at all interested in that.
3) The Supreme Court could find the searches unconstitutional. I think there's a reasonable chance that would happen, but only if a case reaches them. Unfortunately that is kinda hard. More or less someone has to either be convicted of criminal charges base don evidence obtained in this way, or harmed by it in some manner giving them standing to file a suit. It then has to work its way up. Also, it needs to be a good case. Any civil rights lawyer that would take it up to the SC would want a solid case because if you lose, then you are fucked and getting it reversed would be near impossible.
As such this shit will probably continue for a good while.
What you can do about it is write to the president and your representatives and let them know this is an issue that matters to you and one you'll vote on. The only hope of getting the practice changed any time soon is to get the president to order it halted, or congress to pass a law preventing it.
Re:Great, now it's trash. (Score:5, Informative)
Right, and if you read the CNET article he mentions that he's already disposed of all the checked hardware.
He also mentioned that the extra cost of hardware + embarrassment of missing meetings due to being detained and missing flights means his business is losing contracts and money, and he's thinking of refusing international clients. Maybe that's the government's goal.
Re:4th (Score:3, Informative)
Re:Great, now it's trash. (Score:1, Informative)
I'm a bit paranoid like yourself once h/w is handed over, so I use some simple rules to justify throwing away my laptop:
1. Record the EXACT head position/orientation of all the external screws
2. Cover each major screw with with a small round sticker that uses a glue with an infrared die mixed-in - if its lifted the second time the underside hits air it changes color in the uv spectrum, easy to detect.
3. Record bios f/w versions and hashes, check them after return of laptop.
4. Maintain a hash of all the OS files, check them after return of laptop
5. Have a key-logger turned on just before you enter the airport - turn off once you arrive at your location. Check logs once the laptop has been returned.
If any of the above are not right, I'd throw it away without thinking twice, and more importantly don't use the machine for anything until the above can be verified, its actually quite a cheap process and saves a lot of money in the long run.....
Thus is the price of paranoia
Re:Great, now it's trash. (Score:4, Informative)
For instance the low paid TSA guys could be paid kickbacks to put keyloggers on there so that criminals can get credit card numbers. The lack of accountability would mean that it would be a very long time before somebody in that position would be caught even if there was a lot of evidence.
Personally I think we should get rid of that entire knee-jerk reaction organisation and replace their security guard style workforce with professional law enforcement with a clear chain of command and true accountability as was recommended in the first place. We wouldn't need anywhere near as many people and it would not cost as much. The only downside is it takes time to train such a group. We've got time, we've already had seven years of the sort of security staff you have to prevent shoplifting.
Re:Hidden volumes? (Score:2, Informative)
Re:Travel Tip (Score:1, Informative)
The same, just use the same box it came in and FedEx it back home. Usually arrives a day or so after I arrive.
The reality is like this hippie guy, when I arrive at my destination, I need to do business-perform work, if I don't or can't I loose value in front of my clients, hence such steps are necessary.
I always add the extra costs (+10%) into my bill so I don't loose anything in the long run (and I claim the costs back through a tax refund kachingx2), however sometimes I wonder that its a shame that such things need to be done.
That said there's a lot more work in Europe most of which is slightly higher paying than the consulting gigs I do in the US, my next 5 year plan is to slowly switch over to Europe and east Asia, the US doesn't have much left for me.....
Re:First Post (Score:5, Informative)
As for the second, please explain how in the fuck you get labeled a "white hat" for showing up at black hat conferences and showing everyone how to MITM SSL?
Black hats don't hold conferences (in meatspace). There's just a conference called Black Hat which, by the nature of information from the conference being made public, is actually a white hat conference. It actually started out as something closer to a true black hat conference but of course that didn't last long.
Black hats have their conferences in various chat rooms and forums. When they meet, you don't know about it.
Re:First Post (Score:3, Informative)
I don't really agree on the difference.
If there's a tool to exploit the problem then companies using SSL/TLS/whatever can see a clear and present danger.
If someone publishes a vulnerability it's easy to write it off as theoretical and we're back to the situation where black-hats can exploit things.
Re:4th (Score:4, Informative)
"This airport theatre is OBSCENE, ethically and morally wrong on EVERY level."
Vote with your wallet and don't fly. Deny the airlines money by not using their services. The purpose of security theater is mostly to restore faith in air travel and keep the airlines running.
We can afford to lose a few airliners as easily as we afford to lose thousands of terrestrial travellers in auto crashes, if we CHOOSE an equal level of indifference.
It's about psychological impact, not dead people. Life is cheap except when taken in exotic ways with lots of media coverage.
Re:The constitution is pretty vague. (Score:4, Informative)
Border searches are not authorized by the constitution, they were an imposition of the 1st congress in 1789, an illegal end-run around article V, which dates from 1787. Consequently it doesn't matter one bit what the "standards" are for them. Until article V is used to make them an authorized power, they're an usurped, illegal procedure.
The constitution overrides and obsoletes common law; that's what it is there for, to reset the line and provide a new starting point because the previous situation was out of hand.
It provides a list of authorized powers, from which the federal government may make certain very limited types of laws.
As of 1791, it also provided a list of forbidden areas, into which the federal government may not go, and as it happens, that includes forbidding warrentless searches everywhere in the domain of the federal authority, because the restriction makes no kind of exception for any locale. So not only are warrentless searches illegal by virtue of not being an authorized power, the same people who made the law (quite sensibly) ruled them out just a few years later.
I'm not saying the feds shouldn't have such a border power based on any objection I might have with the idea of searching incoming foreigners; I'm saying it's unauthorized, and short of article V, there's no other way around that.
WRT common law, citing pre-existing English (or French, if you're from Louisiana) law is typical judicial dancing on the head of a pin, smelling its own farts. This isn't England (or France.) The whole point was to strike English law from our domain. To any extent that wasn't done, my take is that it's constitutionally invalid. I'm open to other arguments, but I've yet to encounter one that trumps the constitutional one. If the constitution wasn't put here to reboot the law, as it were, then what is it for? We already had English law for just about anything you can imagine, after all.
I should point out, though I would hope it is obvious, that I am well aware that the courts don't agree with what I am saying here; my response to that is that (a) that's my point, and (b) they are in violation of their oaths which say they will support the constitution, not old English common law, and (c) in point of fact, the constitution doesn't award them the power to disagree when something is outright forbidden, as warrentless searches and seizures are, and (d) the constitution doesn't award them the power to cobble up laws that stand outside the list of authorized powers, and (e) it isn't that I have any expectation that the government will do the right thing at this juncture, I am simply interested in the public learning what the right thing is.
Final point: The constitution is the authorizing document for a brand new government that in no way is "of England." Not for some specific derivative, or modification, of England's government. The constitution describes what this new government can do, and what it can't. Nowhere in the constitution does it say that the new government may incorporate English law, common or otherwise. Since that's not an enumerated or otherwise authorized power, in order to get such a power, article V must be pursued successfully, and as they did not do that, English common law is not valid American law. Ergo, the judiciary is breaking its oath, and much of the law is unauthorized.
Not really (Score:4, Informative)
Again I think it is geeks puffing their own egos. Please remember that there's a vast, VAST gulf between law enforcement wanting to harass some guy, and a national intelligence agency being willing to spend a lot of money to try and snoop on them in an extremely covert manner. Remember that for the NSA to get involved, they have to be willing to break the law. Law says NSA is foreign only in their intelligence gathering. They can monitor communications to and from foreign locations, or systems that are on foreign soil but that's it. No monitoring in the US. I'm not saying they obey that in all cases, but that is the law meaning that if they got evidence its usefulness in a criminal trial would be nil.
So for them to even be willing to do that, there has to be a good reason. Then you are talking about some serious money spent to develop this custom monitoring BIOS that is both undetectable, unflashable, and ready to deploy on the specific device(s) this guy has. Then after all that, the totally ruin the secrecy by a big fluff up at the border.
Really? Sorry, but pushes the bounds of credibility way too far for me.
Remember that in terms of covert surveillance the US law enforcement agencies can do that very well, they just need a warrant. They could then tap his communications, place cameras in his house, monitor with tempest, whatever they get a warrant for, and do it all covertly. Also any evidence obtained in that way is 100% legal, unlike evidence the NSA got.
So why the border thing? Because they've got shit. They aren't expending any massive resources because there's no evidence of anything. The NSA isn't going to spend millions to try and monitor some guy illegally for no reason. However no warrant or anything is needed at the border so they harass him. Doesn't cost anything (the agents are already there) and so on. Also didn't accomplish anything but there you go.
Sorry but I just can't support this massive ego complex so many geeks have of thinking they are so important that the government will go to extremely difficult, nefarious, lengths just to try and monitor them, all while doing it in an extremely incompetent fashion. No, they won't. You are not that important, nor that sneaky. If there's a real problem they'll get a warrant to monitor and/or search for the evidence needed.
Re:Time for him to invoke the china visit policy.. (Score:3, Informative)
Basically, take a laptop with an easy to swap hard drive. Swap in a new drive, with a clean image, and no access credentials except to a temporary dropbox account for emergency mail and/or working set.
Now if you are intercepted, there is no data TO capture, and you can remove all but hardware/bios trojans by a wipe and reinstall.
As a bonus, you can just take out the drive, hand it to customs, and let them have fun with it.
International corporations are already doing something quite similar to this. You carry an empty laptop with you - and download an encrypted "project package" at your destination to install any special software, and any data you need. You encrypt and upload your product data (if you need to bring it back at all) and run a program that wipes the laptop before return.
But of course spies, criminals and terrorists would never think of doing this.
Re:4th (Score:5, Informative)
Umm I think you missed the news announcement. They are already testing this at bus stations and train stations. So there is no need to wait, it is already here.
Here is the TSA patting people down at a bus station.
http://www.youtube.com/watch?v=_hT8hfrak9I [youtube.com]
Looks like the TSA are already at train terminals.
http://www.youtube.com/watch?v=ORdBoG8qv9w [youtube.com]
So it would seem that they are only left with us traveling by car. Although I hear that they have vans with the scanners in them and are going to use them at the borders to scan cars without people getting out them. Here is the company that is selling them.
http://www.as-e.com/ [as-e.com]
So it only a matter of time before the TSA is everywhere scanning everyone at the rate they are going.
Re:First Post (Score:3, Informative)
It's not different for your data, it's different because of where it is at.
The courts have long held up the idea that the US government can as being a necessary a right of sovereignty, control what enters the country and this right allows searches at the borders and ports of entry. This sentiment is also shared by our founding fathers insomuch as they created and passed into law, the very first warrant-less search at the border (or port of entry) in the second session of the very first congress of the United states.
BTW, even the US mail is allowed to be searched/read when it comes in from another country. Well, in certain circumstances that is. There are some restrictions written into postal code (a portion of US law) but the courts support not having those protections at all.