Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Privacy Encryption Government The Media

Ask Slashdot: Securing a Journalist's Laptop Against a Police Search? 324

Bruce66423 writes: In the light of the British police's seizure of a BBC laptop what is the right configuration and practices to ensure that such a seizure provides zero information to the cops? This post from Thursday might be a good place for some ideas, but that one's expressly about securing a Chromebook; what would you advise for securing a more conventional laptop? (Or desktop, for that matter.)
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Securing a Journalist's Laptop Against a Police Search?

Comments Filter:
  • Laptop (Score:5, Insightful)

    by fyngyrz ( 762201 ) on Saturday October 31, 2015 @03:25PM (#50838767) Homepage Journal

    Don't store your information on the laptop in the first place. Just use it as an editing and remote-access tool over a secure connection or to a USB stick you don't expose to search procedures.

    That's about the best you can do, short of memorizing everything.

    Encrypt the laptop, and you could lose it. Just let them search it top to bottom, then when they're done and you're wherever you're going, wipe the hard drive, reinstall your OS, and carry on.

    It's really not a great idea to carry information you need to be secure around with you.

    • Yup... two words, "micro SD"
      • Does anyone make a little ruggedized case for an SD card that you can swallow?

        • by allo ( 1728082 )

          Why? Break it in two parts and its very expensive to restore data. Drop it into the toilet and flush. Nobody will find it.

        • Why swallow? Micro SD is small enough to hide in your shoe. Rip the inner sole slightly and carve out a tiny slot. The police might check your shoes quickly but they won't look close. The metal will block scanners.

          • Re: (Score:2, Funny)

            by Anonymous Coward

            Why swallow? .

            That's what she said.

          • Why swallow? Micro SD is small enough to hide in your shoe. Rip the inner sole slightly and carve out a tiny slot. The police might check your shoes quickly but they won't look close. The metal will block scanners.

            Even at airports, you're required to take off your shoes and have them X-rayed. I'm sure a targeted search by police would be at least as thorough.

            • Most shoes and sneakers have a strip metal along the sole for rigidity. Take an old pair apart sometime. I always seem to break the inner soles of my footwear. That is how I know.

              Unless they see something obvious you can hide a microsd card there without an issue. I have yet to see a police officer do more than a quick visual inspection tion/ X-ray of shoes.

          • Re:Laptop (Score:4, Interesting)

            by w3woody ( 44457 ) on Saturday October 31, 2015 @04:20PM (#50839013) Homepage
            • Well now that we know about the hollow coins, there will just be a "leave a pound, take a pound" exchange set up as you go thru security.
          • by Z00L00K ( 682162 )

            Better to have a specially designed clothing or coat buttons to store the microSD in.

            • by fyngyrz ( 762201 )

              No. It isn't. If you get caught intentionally trying to smuggle, it'll go poorly for you. Just don't carry it in the first place. There's no actual need to, so why do it?

      • Re:Laptop (Score:4, Insightful)

        by Jane Q. Public ( 1010737 ) on Saturday October 31, 2015 @04:58PM (#50839231)
        Micro SD AND Truecrypt.
    • This!

      I'm not saying this is the way to go for all needs. Personally, I hate to use web apps for everything. But, for complete security when crossing borders, your info should just stay home.

    • "Just use it as an editing and remote-access tool over a secure connection or to a USB stick you don't expose to search procedures."

      Forget the "secure" connection. There's a much larger attack surface there for people to exploit.

    • "Encrypt the laptop, and you could lose it."

      Sorry but I suspect encrypted or not, it's extremely unlikely it wouldn't be taken anyhow. That's just how this stuff is. With a very very long process in getting it back to boot.

  • Easy (Score:2, Informative)

    by Anonymous Coward

    Easy: Store nothing sensitive anywhere on the laptop. Make sure all browsing history/data is wiped before the laptop is every put to sleep/hibernate.

  • by gurps_npc ( 621217 ) on Saturday October 31, 2015 @03:34PM (#50838805) Homepage
    Whatever kind of encryption you use should have the ability to use alternative passwords - an unlimited number of them. So enter password (A) reveals your tax records, password (B) gets pictures of naked 30 year old men. But enter password (C) and you get clear pictures of Mr. Cameron violating a dead pig. When they demand your password, give them password A. If they get all torture-ish you give them password B.
  • by Todd Knarr ( 15451 ) on Saturday October 31, 2015 @03:37PM (#50838811) Homepage

    Best bet is simply not to have anything for them to find. Store your data on a thumb drive (that you'll carry or ship separately) or upload it to your own server or a service like Google Drive or Dropbox, encrypting it or not first, all depending on how sensitive the information is. Delete it or secure-wipe it or wipe the whole drive and do a complete factory restore on your laptop depending on how invasive you think the search might be. Then let the cops search all they want, they won't find what isn't there.

    NB: Linux makes a better platform for this than Windows. On Windows bits of your files can end up in the oddest places to be found during a scan of the drive. On Linux it's easy to set up a separate partition where all your data will go and be certain it didn't leave traces anywhere else, and that partition can be secure-wiped and reformatted without messing up the OS installation in the process. Plus the cops are less likely to be familiar with Linux, and you can play the dumb-non-techie card of "I dunno, it's whatever the guys in IT put on it. I just follow the instructions to run my programs and everything works.".

    • by LVSlushdat ( 854194 ) on Saturday October 31, 2015 @04:15PM (#50838999)

      Tell me my tinfoil hat is on too tight if you want, but I *strongly* suspect its NOT going to be *too* far in the future when those of us who refuse to use Windows and use Linux instead will be charged with violation of a yet-to-be-passed law, but one that is almost surely to be passed by the authoritarian thugs that currently infest most governments. For all we know, this sneaky Transpacific Partnership abortion thats making its way thru the halls of congress may have the beginnings of such in it, and since we, the unwashed plebes, are not privy to its contents, heaven only knows what is in it. Both the US and UK are diving at a faster and faster rate down towards blatant totalitarianism.. When you look at the many traffic analylsises that have been on Microsoft's latest offering, you start to wonder if they've not gone into partnership with the NSA to fill up that giant datacenter in Utah with everything you do on your Windows machine. This being the main reason I suspect it won't be too long before those of us who don't suck at the MS tit, will be persecuted for using an OS that doesn't feed the MS/NSA behemoth... Before you accuse me of being paranoid, stop and think about what I said.... Glad I'm 65 and not a youngster growing up in this ever-increasing totalitarian world...

      • by maugle ( 1369813 )
        I doubt Linux would be banned entirely (it's in use by too many big businesses), but I could see only certain "approved" distros being allowed. I'm sure Red Hat would jump at the chance to be the sole government-approved official Linux provider, and I doubt they'd even think twice about including a few "special" government-provided packages in their base installation.

        ...assuming they don't do that already.
    • Best bet is simply not to have anything for them to find. Store your data on a thumb drive (that you'll carry or ship separately) or upload it to your own server or a service like Google Drive or Dropbox, encrypting it or not first, all depending on how sensitive the information is.

      Bingo. This is the only way to avoid the whole mess of having data for them to become suspicious of in the first place. Don't have anything for them to find or become suspicious of.

      Once they find encrypted data most law enforcement authorities will automatically assume something nefarious, and even if they don't, they'll still want to see what it is.

      And they'll use the old "We think it might be child porn" as an excuse to hold you for as long as they can get away with (and these days that may be forever).

  • by gweihir ( 88907 ) on Saturday October 31, 2015 @03:40PM (#50838837)

    In the British Police-State, that is not possible, unless the journalist is willing to go to prison for failing to disclose an encryption password. Forget about "plausible deniability", that is for kids and morons. It does not work in practice.

    The time to protect essential freedoms in Britain is past, and the battle (pathetic though as it has been) is lost. Anybody now trying to protect itself will just be classified as a "terror supporter" and that is it. Expect concentration camps to be opened soon.

    • by AmiMoJo ( 196126 )

      Recent events don't seem to support that assertion. The Guardian was able to handle the Snowden files without being imprisoned or losing them. Okay, some MI5 goons made a show of destroying a few laptops, and the footage ended up on YouTube and the stories were published anyway.

      The BBC's mistake was not protecting their journalist's data properly. If you take precautions, it's possible. In this case, if they had used a live CD so there was no trace, and protected the contract details with encryption the po

      • by gweihir ( 88907 )

        The question was about an individual journalist. If you have an organization large and well-known enough to be hard to touch and somebody with real courage on the top, then you have a chance. But the editor of the Guardian _was_ willing to go to prison, if that was what it took. And that _is_ what it takes in a police state slowly going towards full-blown fascism.

  • by klingens ( 147173 ) on Saturday October 31, 2015 @03:51PM (#50838881)

    On your Laptop there is a normal Windows installation which is not used for work. Only for stuff like browsing the web in the evening at the hotel. mails to the kids, etc.
    On a USB stick on the keychain there is a copy of Tails https://tails.boum.org/index.e... [boum.org]
    You rent some VPS or root server in a country of your choice, under a different name, preferably paid via cash. This is the place where all the data for work is stored. encrypted.
    This server you only access via Tails which uses Tor by default.

    If you can't do this, you put an encrypted VM onto your Laptop which happens to have the data for work and you write your stuff or access the web for work related research only in this VM. Again using a distro like Tails.

    • by gweihir ( 88907 )

      The VPS+Tails idea is about the only one that can work. Better write nothing down though and better make sure your tails copy is always current and cannot be tampered with. Incidentally, renting a VPS with cash is impossible almost everywhere, but you do not actually need to. Just make sure it is a country that is unlike to cooperate with your enemy. In addition, better make sure to only work on it via hidden service or it may well get attacked by "hackers" in some routine government-sponsored break-ins.

      The

  • by physicsphairy ( 720718 ) on Saturday October 31, 2015 @03:54PM (#50838895) Homepage

    Don't store anything on the laptop. The fact they can legally compel you to provide the means of data access means you are in trouble in every case which they have possession of both you and your laptop. You can either do a really good job of hiding the data or you can keep it outside of where they can get it. How about a remote server a trusted person can deactivate if they hear about your situation?

  • Don't have a drive in it. Don't have bits that they can claim to find suspicious. No excuses, because even (or perhaps especially) if they don't find anything on your laptop they'll confiscate it anyway to have the boys back at the shop take it apart ten ways from Sunday.

    When you arrive, buy a new drive and load it up. How? Well, if you're visiting a field (or home) office, they'll have a disk image handy for you to use. If there are private bits that you haven't shipped over yet (SRSLY? They travel f

  • In the UK you can be forced to hand over keys so keeping anything, encrypted or not, on the laptop is a no-no.

    Get yourself a 4G account and mail the Veracrypt file to a safe country.
  • 1, 2, 3 (Score:4, Interesting)

    by chill ( 34294 ) on Saturday October 31, 2015 @04:06PM (#50838953) Journal

    1. Use Linux for the simple reason you can separate partitions. Create a separate /home partition that mounts on an encrypted removable drive, like an Ironkey.

    2. Do all work on the removable drive.

    3. Never cross a border with both the laptop and the removable drive. Ship out courier the drive separately and carry the laptop.

    This way there is nothing on the laptop to be searched or seized.

  • to what you can actually do.

    You can hide files in a hidden container, you can encrypt files and give the key to someone in a different jurisdiction. But, in the end, if they have you and they have the computer, they will probably get what they want. We used to call it "rubber hose crypto".

    If you don't have to bring the data with you, don't. Put the encrypted data somewhere in the cloud and pull it down when you need it. Then purge it from your computer.

    SD cards are small and might pass if you are not su

  • They won't be able to figure out how to make it work, so your data will be safe.
  • The Regulation of Investigatory Powers Act allows them to compel you to hand over any passwords or encryption keys needed to access the data.

  • by spiritplumber ( 1944222 ) on Saturday October 31, 2015 @04:47PM (#50839149) Homepage

    1) Make one of these: https://hackaday.com/2015/10/1... [hackaday.com]

    2) Hand everything over. Warn the bad guys that if they try to use your USB stick, it'll fry their computer.

    3) When they fry their computer, ask if they have learned their lesson about taking you on your word.

    4) Be cooperative. You already won the battle of wits, be a gracious winner.

    5) Your data was on your obscure self-hosted webserver elsewhere in the first place.

    • Although all these things sound cool, that's a sure way to not get into the country and be charged with whatever they come up with ( destruction of government property, assault - 'cause if that can fry a computer ... , espionage, terrorism, ... ).
      If you're on some list you basically already lost. You can play dumb if it's a random check, you boot up to some family pics and some pr0n in the browser history. But if you're a journalist suspected of having some shady contacts and information, you are the weak
    • The fact you think there can be a step 4 where you are the winner in this scenario is delusional at best. Only a few possible scenarios will happen here and NONE of them involve you winning.

      best case, you will be refused entry to the country, have what is the equivalent of a criminal record for travel terms where you now have to declare that refusal of entry and be royally fucked for the next decade where most countries will refuse you a travel visa.

      More likely, they believe you, check the device (bel
    • Survival 101.

      Pissing off the border guard.

      How the story ends if you "Ask Slashdot."

      2) Hand everything over. Warn the bad guys that if they try to use your USB stick, it'll fry their computer.
      3) When they fry their computer, ask if they have learned their lesson about taking you on your word.
      4) Be cooperative. You already won the battle of wits, be a gracious winner.

      How the story ends in the cinematic world.

      [Anonymous basement interrogation room]

      Wake up! I need you to be focused!
      You either give me what I need or this switch will stay on until they turn the power off for lack of payment on the bill.

      Which do you think cuts closer to the truth?

  • by gotribal ( 4315193 ) on Saturday October 31, 2015 @04:57PM (#50839223)
    Back when I was at Kazaa many years ago, I kept all my files in a BestCrypt-encrypted drive, and all sensitive emails were PGP-encrypted. I was feeling pleased - if anyone got hold of my computer, there was nothing to see. But then one day our office was raided in a search discovery order, and all that time spent encrypting things came to naught, if I refused to hand over anything it would have been contempt of court. And so I printed out thousands of emails in one long continuous unformatted strip... that was about as far as I could go. I did consider that I could have gone one step further and used BestCrypt's feature that lets you create an encrypted drive that's actually two partitions - give out one key and all you see is nice set of clean files, plus a whole lot of random bytes. It's something to consider, but you're living dangerously if it's a court order. BTW, there's discussion here about keeping data in the cloud - another tempting option. Broadly the law can compel you to hand over any data "In your control or possession", where possession is defined as including the means to retrieve remote data. So there would need to be zero knowledge of having that remote data at all. Just sayin'
  • by folderol ( 1965326 ) on Saturday October 31, 2015 @04:59PM (#50839233) Homepage
    The parent organisation should maintain a networked data store that all it's reporters have a write only password for.
    Data is then sent via ssl. No other encryption software of any kind on the laptop.
    Absolute minimum of services and a tiny hard drive, with no swap file/partition.
    Reporters should only use a plain, single view, text editor that doesn't store parts of a working document to file, and can be made to direct send the data without ever touching the hard drive.
  • by tengu1sd ( 797240 ) on Saturday October 31, 2015 @05:18PM (#50839339)

    And for the politically correct, social just warriors, etc. .. man in the sense of person

    You carry a laptop, you carry a live boot USB stick/CD, You carry encrypted media, possibly the same as a boot USB. Your counterpart, possibly in another country, carries the decryption key. You carry his decryption key. Never cross an international border together.

  • Personally, I'd perform a persistent install [of the distro of your choice] to a bootable MicroSD card. You can not only boot it up on virtually any PC, there are myriad ways you can throw them off or just plain fuck with them. Hell, really mess with their heads and lug around a laptop with Win9x on it (you don't even need all the drivers; present 'em with one huge fucking list of yellow exclamation marks in Device Manager!).

    The bootable MicroSD card you can hide almost anywhere (up your nose, in a slit cut

  • Zip the relevant files, and then change the extension to .odt When people cant read them, they will blame Microsoft! (Or use bzip, or compress or even IBM Squoze)
  • These folks provide advice for human rights activists who want to stay safe and protect their sources from nasty governments: Security in a Box [securityinabox.org].
  • run a parasent Linux distro like puppy on a micro sd as the entire os is stored in ram. save you data to the sd card they can be easily hidden or destroyed. now the fun part encrypt your entire harddisk with windows on it to make them think your hiding something then make them wast there time getting a court order to hand over the key just to find nothing.
  • With a really long passphrase with weird characters. They'll spend the rest of the natural lives waiting for it to be cracked.

  • 1. Backup the data files to a single backup file.

    2. Encrypt the backup file using an OpenPGP application (e.g., PGP, Gnu Privacy Guard). Software should not have sensitive data so it does not need to be encrypted.

    3. Upload the encrypted backup file to a cloud service whose servers are in a nation that will not respond to a police warrant from the nation whose police worry you.

    4. Use a strong eraser application to erase the original files, the backup file, and the encrypted backup file on the l

  • If you have a Chromebook, have a separate gmail account that looks active (subscribe to some innocuous mailing lists.)

    Prior to border simply powerwash the Chromebook and login with the clean account. Nothing to see here officer. The password is 1234.

    After you get home, login with your normal account.

  • Many countries in the world require the ability to search computers brought across the border. You can be detained if you fail to provide access such as passwords.
    Do not take precious data with you. Leave the data safely at home and connect securely.
    Use secure cloud storage or even secure storage back at home base and connect using a secure VPN.

The decision doesn't have to be logical; it was unanimous.

Working...