Schneier on Security

@Bruce

"I strongly recommend the two-tier encryption strategy I described here."

What about TruCrypt 5, the newest version released only a a week ago?

Why don't you use that? Would you recommend AGAINST using it?

The problem with using drive encryption is that they threaten you with taking your equipment (or worse) if you do not give them the password.

A better option is to have a dummy partition (or drive) with a clean version of Windows for them to "scan". Maybe put a few non-threatening games for them to find just to make them feel better. Keep the real data on a tiny encrypted USB drive hidden in a private place.

"Why don't you use that?"

I don't use TruCrypt because I use PGP Disk -- and I don't need two programs that do the same thing.

I have not looked at TruCrypt at all; I know nothing about the program.

As my laptop runs Solaris, will I get thrown into jail for not showing the border guards how to start Word?

It's pretty obvious what is going on, they (yes it's that amorphous undefined group again) are attempting to create a "web of mis-trust" from which they hope to use something like the "six degrees of Bacon" game to identify connections between terrorists and their fellow travellers.

It won't work however, for the very reason that the "six degrees of Bacon" game works. Random connections are far too common to be useful in identifying causal connections.

@Alan
"Keep the real data on a tiny encrypted USB drive hidden in a private place."

The problem is that if they DO find it, they will be suspicious because you tried to hide it.

And they will become even more suspicious when they find that it is encrypted.

We have multiple issues here:

#1. Getting your laptop (or other device) through "security" WITHOUT losing it.

#2. If you DO lose it, ensuring that the data cannot be compromised.

#3. Accomplishing BOTH of the above without having them conflict with each other. (Example, having your laptop "confiscated" because it held encrypted files.)

#4. Accomplishing all of the above in a timely manner.

This is getting difficult. I've taken to sending the data ahead of me (encrypted) and following it with surgically clean, outdated, electronics. This is not a solution for everyone.

And if I can do it, I'm sure that the terrorists will also be able to manage it.

So the net effect is nothing but hassle for the legitimate travelers.

Even single information carrying device should come with an instant wipe switch.

Bruce, do you know if there's any change for a PGP FDE solution for the Mac?

Encryption helps as long as the government can't force you to reveal the password. The decision that Sebastien Boucher needn't reveal the password (look it up) is on appeal...

I just use encrypted images on OS X. AES 256 is one of the encryption options, IIRC. It's not without its inconveniences, but it works well enough for my purposes.

@Charly: Truecrypt 5.0 now has Mac OS X support, but apparently not FDE. See "TrueCrypt - Free Open-Source Disk Encryption Software - Documentation - Version History" here: http://www.truecrypt.org/docs/version-history.php

"5.0 February 5, 2008

New features:

* Ability to encrypt a system partition/drive (i.e. a partition/drive where Windows is installed) with pre-boot authentication (anyone who wants to gain access and use the system, read and write files, etc., needs to enter the correct password each time before the system starts). For more information, see the chapter System Encryption in the documentation. (Windows Vista/XP/2003)

* Mac OS X version"

and more ...

@Fred X. Quimby

"Even single information carrying device should come with an instant wipe switch."

Disks don't work that way.

I would make 2 partitions. The first one would be unencrypted with windows installed. The second one would be encrypted with any sensitive data. If done right, I think they wouldn't be able to tell the difference between an unformatted partition and an encrypted partition. There just random bits unless you know how to interpret them.

I saw this yesterday:

Russ Knocke, a spokesman for the Department of Homeland Security, equates searches of electronic devices to those of papers in briefcases.
"You forgo your right to privacy when you are seeking admission into the country," he says. "This is the kind of scrutiny the American public expects."

http://www.cnn.com/2008/TRAVEL/02/11/laptop.searches/index.html

Not only is it a completely stupid assertion that they are 'only doing what the American public expects', it is a continuation of the false idea that intrusive search is necessary for security, aka security vs privacy.

What I'd like to see is someone going through security with a large volume of SSN + Credit Card numbers encrypted (as it should be) on a laptop (as it shouldn't be), then have the border guys cause it to unencrypted and reviewed or worse, lost.

What if I flashed an official looking badge and said the data was encrypted and I could only decrypt it if the TSA agent held a sufficiently high security clearance? After all, it's national security at stake, I'm with the government.

hmm, I managed to accidentally clip out part of my previous comment:

What I'd like to see is someone going through security with a large volume of SSN + Credit Card numbers encrypted (as it should be) on a laptop (as it shouldn't be), then have the border guys cause it to unencrypted and reviewed or worse, lost.

should've been followed by:

And then DHS or TSA is sued for remediation and notification costs associated with the Data Breach.

"And then DHS or TSA is sued for remediation"

Of course DHS is undoubtedly exempted from any liability of the kind for any of its actions.

International travelers have no rights or civil liberties whatsoever until they are accepted for entry. DHS is perfectly free to deport travelers for any reason whatsoever and can confiscate property for any reason whatsoever. DHS powers extend at least to the point of deporting non-citizens for torture in third states (see the Arar case). Indeed, I'm not sure if there's any law which prevents the DHS from summarily executing 'undesirables' on arrival. The DHS has absolute power over anyone entering the US.

Completely encrypting your laptop won't do any good as the DHS could simply confiscate the computer because it contained data they can't access, then arrest/deport you for being uncooperative. The DHS is perfectly within its legal rights to do this.

The only solution is simply not to travel to countries which search computers. So far, this list includes the US and Canada, but the meme is rapidly spreading, under the benefit of heavy US pressure, elsewhere.

If you must travel across international frontiers, bring a completely clean laptop you can afford to lose (OLPC XO?) and bring your data over a VPN.

Wow, you know that your activities are unpopular and very close to indefensible when the TSA is stepping up to separate itself from them.

The very same TSA that engages in a whole set of other unpopular and very close to indefensible activities knowing that the saying "if it only saves one life" is a cure all does not want its reputation sullied by being associated with this.

If you are still fortunate enough to have a laptop with a floppy disk drive, have a dual-boot system: one Windows partition, one Linux partition.

Without the floppy, it can default to Windows.

With the floppy, use a lilo or grub bootloader to bring up the Linux partition instead.

I did that for a while just out of paranoia. I don't travel so much.

My current personal laptop has no floppy drive and USB stick drives seem much more suspicious to border guards than a floppy.

@infosponge

"The DHS has absolute power over anyone entering the US."

Infosponge, do you know if this is true irrespective of whether the traveller is a U.S. citizen returning from overseas travel, vs. a non- U.S. citizen?

Everyone must follow the link Bruce posted to that TSA blog. Comedy gold. Despite the apparent openness of having a blog, nothing is ever their fault. Have a problem, just ask for a supervisor. TSA does not confiscate things. Etc.
Reposting link:
http://www.tsa.gov/blog/2008/02/rumor-alert-laptops.html

I know about TrueCrypt 5.0 for the Mac, however, TrueCrypt 5.0 isn't any better than the already available encrypted disk images and sparse bundles of Mac OS X, the main difference is (some) compatibility with Linux and Mac. Anyway, I wouldn't use the first version of a Mac security software without security reviews, etc. available.

FDE would be the real thing, unfortunately, there's no such solution available for the Mac. FileVault sucks, encrypted disk images don't cover all user data.

Macs are great but not secure, I'm afraid.

Just imagine what this world will be like in 10 years.

The problem with dual boot is that any intelligent customs officer (unlike TSA agents, customs seems to be on the ball) can open disk management and see there's a large, unknown partition. I'd think you'd have a really hard time convincing anyone that you've got an 120GB drive but are only using 40GB.

@ infosponge

Actually the constitutionality of Arar's deportation is anything but settled. Just because the present administration asserts they did nothing wrong, doesn't mean they _actually_ did nothing wrong.

I rather suspect you're wrong in general though - as much as customs would like for people seeking entry into the country to be pre-human meat puppets for their every whim, I'd be surprised to find out that thousands of travellers between civilized countries magically stepped outside the purview of human-rights legislation every day.

Mail the laptop to where you're going to stay, as you leave. Not likely to be opened then.

@ dual boot

http://www.fs-driver.org/

Things like this Installable File System Driver would make ext2 partitions show up like a normal drive in Windows eliminated the suspicious "unused space."

@TS:

There is plenty of evidence that the people doing these searches are, in fact, rather clueless. I can't find the link, but there was a blog about a dude travelling through the US who was asked by officials to open his laptop.

Confronted by OS X, the official had to ask the dude where "Program Files" and "My Documents" were. Basically, he was reduced to asking where the porn and illegal downloads were.

I'm not saying count on this level of cluelessness. I'm saying don't count on /any/ level of technical expertise.

"can open disk management and see there's a large, unknown partition."

Easy, just disable the second drive in your bios.

@ Rob
Mail the laptop to where you're going to stay, as you leave. Not likely to be opened then.

The company I work for, just got a shipment of usb drives from over seas (partner company), customs actually took the drive apart. Not just the drive out of the casing, but completely apart.

So mailing does not guarantee anything.

You can use TrueCrypt 5.0 to create dual-booting systems which include a clean dummy windows partition that boots by default and a secondary encrypted partition that only boots when you put in a CD and enter the correct password. See link for instructions:
http://forums.truecrypt.org/viewtopic.php?p=39157#39157

http://www.news.com/8301-10784_3-9869812-7.html

http://tinyurl.com/yu9qpw

How timely, from the link:
PGP: Whole disk encryption for Mac OS X is 'in active development'
Posted by Declan McCullagh | 16 comments

PGP Corp. is planning to release a version of its whole-disk encryption software for Apple Macintosh computers running OS X.

Oddly enough, I had just this sort of technical discussion with my SO prior to her trip to another continent for her PhD fieldwork. In order to satisfy the ethics requirements for the work, she had to show the steps she had taken to reasonably protect the information she was collecting from the prying eyes of governments and officials of all stripes.

This is a very good point that others have made, but that I will reinforce: sometimes there are very good reasons for people to encrypt data and not share the passphrase. My SO has promised, in every sense of that word, that she will not let this information fall into any other hands. By divulging any of the contents of her research without express permission from the university and the affected subjects she is breaking a trust /and/ a honest-to-gods legal contract.

So, we had to come up with some basic ways to protect her entire laptop contents from the variety of ways people could gain access to it. We decided on this:

- We have OS X, so it is a no-brainer to lock everything in a FileVault disk image. She has instructions to logout at critical times. All the extra security items have been applied to her UID (encrypt swap, require password to change anything or login after sleep or screen saver, &etc.) in case it gets swiped while she is still logged in.

- Critical data is backed up to another encrypted disk image on a Firewire drive. Even more critical data is copied to an encrypted disk image on a USB key. The hope is that an impounded MacBook will leave her with her precious data, or at least parts of it, but otherwise be reasonable well protected against prying eyes.

- To encourage the chances of bored border folks simply waving her through (the advantages of being white, female and obviously middle-class) with a cursory look, we create a completely valid local account with limited privileges, but that otherwise appears to be the usual "play games, write letters, look at pictures" account that people have. Unless you know OS X (or Unix) pretty well, you will not even be able to see that there are other accounts on the box.

- Of course, most of the problem we are trying to solve here doesn't have a technical solution. I've coached her on what to say if confronted on any of this stuff. Other accounts were created by the administrator (me) and, no, she has no idea what they are all about or what the passphrases are. The backup data is part of her research, and no, she will not share that with them (no sense in lying, at least unnecessarily) because she can't.

Basically, the art of travelling through borders is not saying, or doing, anything out of the ordinary, and not saying, or doing, more than you have to.

She isn't planning on travelling through the US, or other privacy unfriendly nations, but she will login to the play account, load up a game and some benign documents in the usual non-threatening apps if she gets routed unexpectedly to such places. The two backups will be distributed among her luggage and carry-on. USB keys and portable backup devices are ubiquitous enough that there is a high chance that even someone impounding a laptop might miss these things.

We looked at private offline data storage options, but given the spotty availability of internet sometimes, and the fact that many of these services are either hosted in the US, or routed through the US, I trust them as far as I trust your current government (i.e., about as far as I can throw an average-sized representative).

I am hoping to setup an SSH pipe between us at some point before she leaves and dump a copy of her home directory on my own servers.

That fact is that many borders are so focused on stupid security theatre like removing our shoes and belts that I don't think they are in any sort of position to outfox the concerted data smuggler.

I'm always amazed at (for example, since this is one of the reasons both the US and Canadian border dudes are so interested in your laptop) how illegal porn is caught at border crossings: unprotected laptops, often logged in and running when the border guard checks them, with the porn in "My Documents" with names like "this is my illegal porn".

It has been proven time and again that your average criminal is stupid as a bag of hammers. They walk around like they can't possibly get caught, while acting "hinky" the whole while.

Smart criminals, terrorists and ordinary people protecting their privacy for good reasons: harder to catch, and impossible to distinguish from just their computing habits.

I use TrueCrypt. I quite like the posibility to create a second, hidden, encrypted partition/disk inside the first. In the "outer" disk you can put some "harmless" files, while the realy important files are on the second (inner) encrypted disk. Using one passphrase you open the outer disk, using another passphrase you open the "inner" disk. The existence of the "inner" disk inside the "outer" disk cannot be deduced by examining the "outer" disk.
If you have to divulge a password, give the one of the outer disk, containing the "harmless" files.

Before crossing borders with your laptop, first copy everything of interest to an encrypted disk image, burn that to a CD or DVD, mail the disk to yourself at your destination, then erase your hard drive, reinstall the OS, then insure your laptop -- against theft or armed robbery.

It's interesting how the same information held in a bank vault or office safe would require an actual search warrant issued by a judge, and issued in advance of the search, not after.

Anyone planning a terrorist attack could keep the information on a laptop without risk of discovery, provided he were smart enough to fly on a corporate jet.

I bet nobody inspects Dick Cheney's laptop.

It just occurred to me you could prevent the theft of you laptop by mailing itself to you at your destination. They don't dare inspect the mail.

@Citizen

It's not really clear if US citizenship makes that much difference. Customs has the right to search and seize anything, owned by anyone, without due process. Immigration doesn't currently have the legal right to deport US citizens, but this hasn't stopped them from deporting the odd Mexican-looking US citizen to Mexico on suspicion of being illegal. There is also a move afoot to give the DHS the ability to use the no-fly list system to block US citizens from re-entering the US.

@dragonfrog:

If any legal precedent has been established over the past seven years, it's the legal precedent that whatever the executive does is legal. On one hand, the DoJ will not prosecute executive overreach even when required to do so by Congress. On the other, the DoJ has become extremely adept at shutting down civil lawsuits using the state secrets privilege. If that doesn't work, the executive can always rely on immunity legislation.

As for your second argument, you're basically arguing from incredulity. Tens of thousands of travelers between civilized countries do step outside of human and civil rights protection every day. Between the time you enter a country's territory and the time you are processed by their immigration authorities, you have little to no rights whatsoever. It's incredible, absurd and a vestige of the age of absolutism, but that's how it works.

You still have the right to keep your mouth shut. Sure they can deport you or worse lock you up in a prison some where, but you can still keep your mouth shut.

Meanwhile, if you encrypted your data properly, it's safe, and hopefully you have archives somewhere else.

Read some of the posts at >flyertalk forum

http://tinyurl.com/26lztf

@crattis

Customs nailed us for no "Made in Italy" stickers on products we've resold here. On the obvious commercial items, yes, it'll likely get opened.

But, I doubt they're going to open every personal package shipped overseas, but who knows.

How about not storing anything sensitive on the laptop, and also not doing anything illegal and you'll not have to worry at all about them looking stuff over...duh. :)

Brian at February 12, 2008 03:24 PM:
Disabling a disk in the BIOS was a trick good enough for Windoze 9x/ME. Beginning with Windoze NT the BIOS must see just the boot disk, Windoze do not care about it at all, so does Linux. They find the disks without the help of the BIOS. And even if it would work, it doesn't solve the problem of hiding a partition. There's no mechanism in BIOS to say which partitions are visible, unless perhaps some unusual and special BIOS. The only thing which could hide a partition is modifying the partition table, e.g. with a tool like dd. To cross the border you put there a fake table showing just the first partition. You put there the real one when needed. A floppy Linux distro would do the trick. Likely the copy of both partition tables could be left on the floppy mixed in some large directories, e.g. /usr/bin, eventually appended to some of the binaries stored there. It surely isn't fool proof, but it would take a smarter guy then those currently posted at the border check. If asked, why not all of the disk capacity is allocated, you say you plan installing Linux in dual boot. Up to them to prove the Linux is already there on an encrypted filesystem. Now you just need to invent some justification for presence of random data on the unalocated part of the disk.

Brian at February 12, 2008 03:24 PM:
Disabling a disk in the BIOS was a trick good enough for Windoze 9x/ME. Beginning with Windoze NT the BIOS must see just the boot disk, Windoze do not care about it at all, so does Linux. They find the disks without the help of the BIOS. And even if it would work, it doesn't solve the problem of hiding a partition. There's no mechanism in BIOS to say which partitions are visible, unless perhaps some unusual and special BIOS. The only thing which could hide a partition is modifying the partition table, e.g. with a tool like dd. To cross the border you put there a fake table showing just the first partition. You put there the real one when needed. A floppy Linux distro would do the trick. Likely the copy of both partition tables could be left on the floppy mixed in some large directories, e.g. /usr/bin, eventually appended to some of the binaries stored there. It surely isn't fool proof, but it would take a smarter guy then those currently posted at the border check. If asked, why not all of the disk capacity is allocated, you say you plan installing Linux in dual boot. Up to them to prove the Linux is already there on an encrypted filesystem. Now you just need to invent some justification for presence of random data on the unalocated part of the disk.

Could someone recommend a really good, modern version of PGP for linux?

@Lawrence Pingree:

Just in case you are /actually/ being serious, ask yourself the following questions:

1. Does the fact that you don't consider anything on your laptop "sensitive" or not change whether or not an official can seize it? Does the fact that an official may or may not consider it sensitive change anything?

2. How will you know if you are doing anything illegal until the officials seize your stuff, take a few months to look it over, and then come up with an appropriate charge?

3. What if you are compelled by law to protect such data from anyone, including any government?

4. So, I can come over and root through your files any time I like? I mean, its not like you have anything to hide, right? Please make an ISO of all your computers and post the URL where we can all get at it. Unless, of course, you have something to hide. Which means you are guilty. Which means you must hand over all your data immediately.

Authorities have been dispatched. Good luck with that.

@Brian

"You still have the right to keep your mouth shut."

Kind of like the drunk guy who had the right to remain silent, but just didn't have the ability?

What if they waterboard your data, and it tells them your password?

Wait, I've got that backwards.

@Anon -- dd's a brilliant idea, thank you!

@Lawrence Pingree:

Not being guilty of anything didn't save Arar from being deported to Syria to be tortured.

Just dont take a laptop at all.. Upload the sensitive info to a secure remote server and travel!..

@clvrmnky

How did PhD students keep their data secure when crossing borders before computers?

You make it sound like your SO is conducting espionage. If the security of the data is really that critical she shouldn't be carrying it across borders in the first place. To the extent that the data isn't legally protected from customs searches at the border she can't say that she's "reasonably protecting" the data when she carries it across a border. She can't reasonably protect the data if the entire computer can be seized. Perhaps you and her need to spend more time talking to a lawyer and less time worrying about the technology. If the data is as sensitive as you describe it sounds like she's violating the laws of the countries she's traveling to. Why else would she need to go to such extremes to keep the information secret from those governments?

As far as the U.S. being unfriendly to privacy, that's just false. The U.S. tends to have higher privacy standards than most countries, even today. We also tend to scream most loudly when out privacy is being compromised. CALEA caused a great deal of noise when it was discussed and implemented in the U.S in the 1990s. The same capability was quietly implemented by the RCMP in Canada in the 1970s. The Canadians companies involved were still trying to keep it quiet during the CALEA discussions in the 1990s. They probably still are.

The real issue in this post isn't the searching of the computers. It's the singling out specific individuals for special attention due to being members of specific ethnic or religious groups. It's the bigotry that's the problem, not the perceived violation of privacy.

If you can't trust the data to a public server in encrypted form you really shouldn't be trying to get it across borders. Could I suggest your SO talk to a lawyer at her university and find out what her real obligations are?

This sounds like a job for a nasty piece of malware, delayed activation and non- propagating, of course, stored on any removable media you might want to carry across the border.

The "law" allows them to force you to divulge keys and passwords when they ask, but are they going to ask if you know of any malware on a drive you're carrying? Sound's deniable to me.

OK, before all you learned types pile on, I'm not as computer savvy as I would like to be, so I don't know if such a thing is actually practical, but it's still nice to think this could be done.

Whoops, I think I just advocated resistance against illegal actions of the US government. Can someone feed my cats while I'm in Cuba?

I've been a regular reader to your blog for a while. When I read this story, I decided to post the following comment the the TSA blog, not that I really believe it'll help (and even if they do it, it's still barely a stopgap measure), but I'll crosspost it here for the heck of it (it's long):

Suggestion:

Above, TSA wrote that people should "ask to see a supervisor or screening manager immediately" if someone from TSA asked for passwords, or confiscated a laptop. In response, wthdik asked what a person should do when TSA's response to that question is "I make the rules". Tsa tso ny responded that one should then ask for the "AFSD/DFSD/FSD".

Obviously, for a lawyer, vetran traveller, or exceptionally aware citizen, it might be possible know those things. For the average person, occasional traveller, foreign citizen, and many others, this is clearly impractical for many reasons.

I've heard it said before that this blog is heard by higher-ups, so here's my suggestion:

For every traveller, in every airport, checkpoint, and in every place that a person passes, require that every place provide them a "receipt", which uniquely identifies the checkpoint/station, the individual screeners, officers, and others involved with the person (possibly using a coded number), the manager of the location, and other relevant names with titles, telephone numbers, and the date/time. This same information could also be sent to an email address (if provided by the passenger when getting their ticket), to prevent screeners with questionable ethics from refusing to give a receipt, as refusing the receipt would not remove the email, presuming you send the email at the same time the receipt is generated.

This would allow travellers to contact the appropriate persons with complaints, and questions. It also allows a person to contact the appropriate authorities after the fact, if they feared doing so at the time, a very realistic concern, given the current heavy handed government.

It's pretty easy to print receipts, it's very easy to send email. I'd think this would be cheap to implement.

Example:
------------------------------------------------------------------------------------------------
Date/Time: 2008 Feb 12, 6:10pm
Location: LAX, Station 387
LocGrp: Y55
Screeners:
- JAMES (08E56A)
- JOHANSON (3BB651)
- SMITH (8836FA)
Supervisor:
Ms. ADAMS (78DAD3)
+1 333 555.1212
Screening Manager:
Mr. HUTCHENSON (8C8FE0)
+1 333 555.1213

If you have any problems with the screening process, a compliment, complaint, or question, please bring it up with one of the above persons. It is best to let us know immediately, but if you cannot, please use the above information to alert us to your issue at your earliest convienance. If you have a question, you may be able to find an answer at one of the following:

- http://www.tsa.gov/
- http://www.tsa.gov/URL2

Thank you for travelling in the UNITED STATES OF AMERICA, home of the free, land of the brave.
------------------------------------------------------------------------------------------------
In the above example, the date/time should be the LOCAL date and time, although it may be useful to also print UTC in addition to the local time.
The location line should uniquely identify the airport, and specific station.
The LocGrp line should uniquely identify the group (for instance, if there are a group of screening stations).
The Screeners lines should identify every screener, officer, etc., who was somehow personally involved with the person receiving the receipt.
The Supervisor line should identify the local supervisor, and provide a phone number to contact that supervisor. The number should NOT go directly to the supervisor, it should go to someone who is able to contact the supervisor (i.e. the security department perhaps), it should be a number at the airport, not a state/federal number.
The Screening Manager line should contain the name and phone number of the manager of all screeners at the airport identified.
The URL's listed should include a main URL for the TSA, and additional URL's, which might answer questions specific to that airport, that section of the airport, that portion of the country, etc.

The unique identifiers, for the particular screening location, the screeners themselves, the supervisor, and the group of screeners ought to be static, so "station 387" is always "station 387", and screener "SMITH (8836FA)" is always "SMITH (8836FA)". The numbers only need to be unique within that particular airport, not nationwide.

In addition to the receipt, screeners (and other regular security personell) should have the same ID very prominently displayed on their person, so if their ID on the receipt is "SMITH (8836FA)", then on their person (usually at the left breast), should be a badge that reads "SMITH", or perhaps "SMITH (8836FA)", in 3/4 to 1 inch letters (possibly on 2 lines).

Perhaps customs should do the same.

@Leo

"Why else would she need to go to such extremes to keep the information secret from those governments?"

The only answer to this is "none of your f-ing business".

This is the same answer you give to any government as well. If they can generate and keep secrets, then so can the rest of us. My personal and corporate secrets, and the need to keep them secret, trumps your vicarious busy-body micromanagement.

But since that kind of answer just marks you for "extraordinary rendition" to Syria these days, hiding the information as best you can and offering a distraction in its place seems a better option.

The only practical solutions seems to be: Save your data to an encrypted ISO/tar.bz2/zip whatever, put it on the web, wipe your laptop, enter without complaining.

Download the data upon arrival.

Since this isn't the hardest task, or hard to find out, it's crazy to believe you could find something valuable by screening a laptop for a few minutes.

The land of the free - empowered dullness.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

It sounds like because of this BS there is a big market now for laptops with easily swappable hard drives.

Before travel, put a fresh hard drive with the basic stuff into your laptop, keep the data either encrypted in a double layer, or online.

Upon return, replace the hard drive. With this, you are only moving hardware around, the data stays at home.

@Anonymous

"The only answer to this is "none of your f-ing business"."

That's the answer of a child. If you want to come into my house you have an obligation to convince me that you don't plan on doing damage after I let you in. Border guards have every right to ensure that someone coming into a country is not trying to harm that country or violate its laws. If you can't live by a country's laws don't ask to enter. If you have data that violates a country's laws leave it at home.

It's got nothing to do with "vicarious busy-body micromanagement". No one has the right to violate the laws of a nation and demand that evidence of that crime be kept hidden, not in any civilized society.

There are reasons for engaging in illegal activities in oppressive countries, but if you're a human rights worker, for example, going into such a country it's just stupid to expect any data on your computer to be secure. Attempting to hide the data is only going to make you look more suspicious. At that point you need to take lessons from professional spies and use the proper tools, not some hacked together computer security that's more likely to attract unwanted attention.

If, on the other hand, you're traveling with something like trade or patent secrets you need to confine your travel to countries that respect those secrets and get the proper legal and diplomatic documents necessary to protect that data. In that situation legal protection is more important than fancy technology. Failing to get the legal protection would probably be considered by the data's owners to be failure to take proper precautions with data.

If you can't tell the guards of a country why you're bringing secret information into that country you have no right to do so. Just leave it at home. Or be prepared to suffer the consequences of that country's laws.

If you try to come into my country with secrets those secrets become the business of those who protect my country.

Actually, probably the most entertaining way to avoid this problem is to carry a stack of NDAs and inventory receipts in your bag.

"Why, certainly, Mr. Border Guard. However, my laptop contains Vitally Secret information to my company that I cannot legally disclose without the viewer signing this Non-Disclosure Agreement, here, yes, that's right, please initial here, here, and here... oh, just ignore that paragraph about fiscal liabilities, yes, initial there and there, and sign here. What's that, you need to impound my laptop? Very well, I suppose I can get Corporate to FedEx me another overnight, but I'll need some sort of inventory receipt signed so that those bastards in Accounting don't give me trouble if it gets lost..."

(all kidding aside, I'm a big believer in the infinitely more practical advice: "...cleaning out your laptop and BlackBerry regularly; if you don't have it on your computer, no one else can get his hands on it. This defense not only works against U.S. customs, but against the much more likely threat of you losing the damn thing.")

FYI
Many States Elect Not to Use Flawed E-Voting Technology
http://www.sciam.com/article.cfm?id=electronic-voting-election

Ladies & Gents,

You are missing the point of this by getting lost in the technical aspects. There are no new problems here.. just masked by technology.

Firstly, do US citizens deserve protection from unreasonable search and seizure when entering/leaving the country? I suspect that there are already numerous court decisions on this. These precedents should be used to intrepret whether or not we have a right to privacy, which I suspect we don't in this situation.

Secondly, non citizens are not protected, so we can do whatever we want to you.

Finally, putting back on my propeller hat, I suggest that at this point, they are looking for web sites visited which may reveal you as a threat. This could be something as inoccuous as reading indynews or al jazeera's news. So, if you must use a laptop on your travels, I suggest you use a bootable cd image of your favorite linux distro to do surfing and then keep windblows installed for the morons at TSA.

Good luck.

Is there a link someone can post which outlines the rights I (as a traveller) do have when passing through customs?

I just have linux on my laptop, so is it the case that (depending on the person involved), when the "Welcome to Windows" doesn't appear I could have my laptop confiscated? How savvy are the people involved?

Also are there any limitations on what they can do with the laptop after they confiscate it? ie. depending on the industry you're in, the data on your laptop could be very interesting to an American competitor.

@Richard C: "outline[s] the rights I (as a traveller) do have when passing through customs?"

Roughly speaking... none. You are in something like "no-man's land" before entering a country. A sovereign country has pretty much any right to define if and how it lets "aliens" in. Some basic human rights *might* apply, though.

I am not sure, but it *could* be that you can just turn your back if you don't like the procedures. If you want to get in, however, you have to comply.

Furthermore, you have improved rights when re-entering your home country as a citizen. (E.g., I am not sure whether they can deny you entry at all.)

[quote]Is there a link someone can post which outlines the rights I (as a traveller) do have when passing through customs?[/quote]

Unfortunately, the real answer is: "None". If the "security" officer say he won't allow you on the flight, there is very little you can do. That's the kind of power these people have and that's what's really scaring: law does not apply to them because they have excessive nuisance power with not enough supervision.

Back on encryption, Truecrypt has a very interesting feature: hidden disks. Basically, you create an encrypted contained of a specific size and create a hidden volume inside (at the end of the file). Since the container is completely encrypted, there is no way to prove that the "free" space isn't actually used by a secondary encryption layer.

That means that, when asked for password, you can give the password for the "outer" container without disclosing the content of the inner one: nobody will be able to prove or even detect the presence of the secondary container.

"Some basic human rights *might* apply, though."

Well, according to Mr. Bush (Jr.) that doesn't include protection from being tortured by waterboarding...

@Leo

Your analogy of someone entering your house is interesting.

If you read the first and second paragraphs of the article, you will see that US citizens are the targets of these procedures.

The US federal government does not own this country, the citizens do, even though we seem to have forgotten of late.

So, a better analogy would be the neighbor you asked to watch your house while you are on vacation not letting YOU back in.

I suspect you might say something like the customs agents are working for the citizens of the US. I didn't vote for them. You? Where is their mandate?

Pop the HD out, wrap it up and mail it. They are so small it shouldn't cost much and you don't have to worry about a broken LCD. Stick in a live CD and tell them you don't use a HD if they ask.

@nerdboy: GnuPG; I'm surprised any Linux user is not familiar with it (it's the de facto PGP work-alike on *nix systems, and has been for at least 7-8 years now).

If this was a serious enough problem to spend some time on, I suppose a good solution would be to use steganography on a large scale. Download a 100 gigs of images/movies and create a steganographic file system. Not particularly efficient, but very non-suspicious.

I hardly think that the level of technical sophistication of the TSE is at a level that they would recognized anything other than something labeled "kiddie porn" or "How to Make a Bomb". They are obviously looking more toward the traveler reaction to the search than specific data. So, just smile and give them your password, and they will leave you alone (unless you are a Moslem with a loud voice chanting "Allah is Great".

The problem with Engineers is that they talk too much about technical solutions. Encryption certainly would not help. You lose your laptop just buy another one. Hopefully one of the judges will figure out that this has nothing to do with security and force them to stop the practice. The bright side is that you need not carry your laptop anymore, just borrow one from whoever you are visiting. We now have a perfect excuse.

These officers claim that at customs, it's a "no-man's land" and that you have no right to refuse any of their orders in order to re-enter your own country. However, there has been a case where a man was found to have child porn on his system, and he was not required to reveal his password due to Fifth Amendment rights. Thus, people do have the right to refuse to be searched on the grounds of Fourth Amendment, and to refuse to give a password on Fifth Amendment grounds. The assertion of rights is the mark of a troublemaker, but under that definition I'd rather be a troublemaker than watch as rights are even more eroded. If a guy with kiddie-porn can maintain his privacy, then I should be able to, as well.

The idea of racial and religious profiling is also one that my own observation seems to confirm, but this is based on outside observation, since I don't travel a lot. Also, being of European descent, there isn't much for me to look suspicious about.

When there isn't a really compelling reason to search, other than "because we're allowed to" or "because we're told to," citizens of the US are perfectly within their rights to refuse and I'd even say that they should, in order to assert the right. It slows you down, but it also slows them down, requires them to come up with a really compelling reason for the search, and is a thorn in their sides. This is certainly a Constitutional issue.

The Pirate Party's stance is that this invasive practice diminishes individual dignity, and only serves to "put people in their place" rather than accomplishing anything meaningfully protective.

@Anon:

dd's a good idea, but here's a truly awesome one: Use the hidden volume feature of TrueCrypt, on the partition in question, and *then* use dd to hide the existence of an extra partition.

That way, most dim-wits wouldn't even know to look - but if somehow they got wise, you could give the passphrase to the outer volume with decoy files.

I've got a solution:

Leave, and don't come back in. America's going to hell in a handbasket.

@Lawrence Pingree:
"How about not storing anything sensitive on the laptop, and also not doing anything illegal and you'll not have to worry at all about them looking stuff over...duh. :)"

You're hopeless.

@nerdboy:
GnuPG for public-key crypto:
https://www.gnupg.org

LUKS for full-disk encryption:
http://luks.endorphin.org

TrueCrypt for volume encryption, with some steganographic ability:
http://www.truecrypt.org

Sorry, but there's no one Linux program that I know of which does everything some modern versions of PGP for Windows does.

@Neighborcat:
"This sounds like a job for a nasty piece of malware, delayed activation and non- propagating, of course, stored on any removable media you might want to carry across the border."

The sad thing is, it probably would work extremely well. I bet their system/network security is horrid.

@Stefan W.:
"The only practical solutions seems to be: Save your data to an encrypted ISO/tar.bz2/zip whatever, put it on the web, wipe your laptop, enter without complaining."

This sounds like a reasonable solution, assuming sufficient bandwidth is available.

Since they seem to be intent on confiscating hardware, I am surprised no one has loaded a laptop up with the most viruses and malware possible and taken a trip across the border just to refuse to boot the machine.

I suppose "Listen, my job is to research viruses, and that machine is infected. I do not recommend starting it up on your network, nor do I recommend using any of your machines to analyze it" combined with "This is also a company laptop, and as such I do not have the authority to allow you to review it's contents, as it may contain proprietary information" would make them want to inspect it more, then charge you for maliciously attacking the government.

Their behavior is that of thugs, and they revel in it. They take great emphasis to point out you're in "no-man's land" and have no rights, which gives them license to do whatever they wish (in their minds.)

Why travel with a laptop? Surely you can find a remote solution for short trips, and ship your hardware to yourself before traveling.

This is a particularly disturbing pattern of behavior for border patrol, and for our government. More and more it seems our rights are a myth of the times of yore, and today we are at the whims of the power-hungry.

The big question is not how to encrypt the hard drive. The question is to how to make the costs of useless security theater boomerang back onto the TSA without inconveniencing the traveler too much.

Maybe that's should be the next contest rather than creating Doomsday scenarios.

Truecrypt allows you to use a keyfile in addition to a passphrase - file of random bits that is required to decrypt. Perhaps PGPdisk offers a similar feature.

That seems like an obvious solution to the problem of a customs official demanding your password: sure I can tell you that, but it won't work without the keyfile. And I don't have the keyfile. (It's on a USB disk that you posted before travelling, or is stored somewhere on the internet).

@Alex: "sure I can tell you that, but it won't work without the keyfile"

Man, this is screaming for trouble.
If you want to get in, *comply* - do not try to outwit the border guards. They won't react nicely to that and guess who will suffer from their reaction?

What some inernational travelers do that travel regular routes (lots of business in the US) is they keep a laptop/cell phone stored in the country and do not travel with these devices.

With network access being as ubiquitous as it is, do we really need local copies of anything anymore?

Except our encryption keys,of course. :-)

Unfortunately, until a MEANINGFUL change of administration in the US, the federals will continue to use the terrible threesome of "terrorism, child pornography and drugs" to support their wholesale violations of privacy.

Just thought of something as I was reading everyone's debate about whether to bring data through or post/transfer it ahead of time -- has anyone had experience with SD/MMC cards through metal detectors? I suspect they're small enough, and have little enough metal, that they wouldn't set anything off (depending on the airport, my belt buckle will/won't set off the detector).

As storage media gets smaller and smaller, people might just resort to putting their data on a tiny chip and slipping it under their tongues, gluing it into their armpits, etc. or the ultimate, subdermal implants.

Similarly, with conductive threads and related technology, clothing will merge with personal storage and power systems.

What will customs do when people *are* storage?

@Paeniteo: the "I don't have the keyfile" trick would undoubtedly cause problems if you use it on your main system disk. But it might well be useful as a last resort safeguard for your second-tier encrypted data - especially with TrueCrypt, given that an unmounted volume can't be distinguished from random data. Certainly it's more reasonable than some of the ideas raised here (seriously, an instant wipe switch?)

If your strategy is "comply with any demand", why encrypt in the first place? Obviously the keyfile method is only of interest for someone who does not intend to let anyone examine their data.

@Arghblarg: Years ago I had an ancient USB keydrive fail after a return flight. It might have been zapped by an x-ray, or it might have been coincidence. A CF card in a camera is not affected by cabin baggage x-rays in my experience.

@Alex: "If your strategy is "comply with any demand", why encrypt in the first place?"

"comply" is only the first half of the strategy. The second half is to make sure that is is easy for you to comply (i.e. have nothing sensitive on the machine, in the first place).
Just backup your "second tier" data away.

Finally, encryption protects less confidential stuff from the entirely different "laptop stolen" threat vector.

If the border guards find encrypted stuff on the machine and they demand that you decrypt it for them, non-compliance will only cause problems.
Either hide it well enough or do not store it on the machine. But do not refuse to decrypt (they won't make much of a distinction between "I would love to, but the keyfile is not here." and a simple "No.").

Their behavior is that of thugs, and they revel in it. They take great emphasis to point out you're in "no-man's land" and have no rights, which gives them license to do whatever they wish (in their minds.)

I'm interested in the "no man's land" doctrine. Does this mean that, should I take a swing at another passenger in the airport, I wouldn't be arrested? After all, if I'm outside US jurisdiction when I commit the offense, then I can't be tried under US law for assault. They'd be able to refuse me entry to the US, of course; but could they do anything else?

It gets still more interesting when you consider that you are under US law from the point where you fly into US airspace until the airplane doors open. If I punch another passenger on the aircraft, then I've committed assault under US law, and all my rights apply. But as soon as I get off the aircraft, apparently I drop out of US jurisdiction until I re-enter the US on foot through the passport check line.

"Does this mean that, should I take a swing at another passenger in the airport, I wouldn't be arrested?"

If "no man's land" is true, then, if you do this against a german citizen or are german yourself, you could be prosecuted under german law (in case you want to look it up: §7 StGb).
I suppose other nations have similar regulations.

The irony with idiocy like this is that it forces people to be less secure and then we complain bitterly when data is compromised (in this case, who is to say that the customs officials are flawless and won't sell data to organised crime).

So many Americans seem to want to have their cake and eat it - they don't want their personal details spread across the Internet because an association lost their data, but they want everything unsecured just in case a terrorist might make use of it. The worst of it is, the rest of the world might be following suit.

I work for a large multi-national US-based company, though personally based in the UK, and I find myself distinctly unwilling to visit our sites in the US because if I do go, I'll have to pass through all this stupidity at borders. I have a company laptop with confidential data on, which I have a legal obligation to prevent unauthorised access to. It would be expected that I brought it to the US.

What precisely am I supposed to do when a customs official asks to take a look, when I have expressly signed a piece of paper which says only those with company authorisation may view the contents? Got to love the legal catch-22.

Removing the data isn't trivial, but it looks like it might be the only way to go, which certainly cramps business practices. Well done America, you're busy screwing over your own corporations as well as individuals, to no useful gain.

@Arghblarg: "As storage media gets smaller and smaller, people might just resort to putting their data on a tiny chip and slipping it under their tongues, gluing it into their armpits, etc. or the ultimate, subdermal implants."

8GB MicroSDHC cards are already out. They could easily be hidden as you describe.

There are some nice nuggets of info in here, but some woefully awful pieces as well. Some thoughts:

- The security tactics employed on laptops and drive devices need to be operable by salespeople, HR people, customer account reps, accounting folks, etc. In other words, it can't be something that requires anything more than the most basic of knowledge.
- Shipping to destination? Anyone who has shipped trinkets, docs, equipment, overseas knows this is not an option.
- Don't get caught up in terrorism, porn, etc. Many companies will have staff engaged in M&A, HR, customer account information, that are all company secrets or protected personal information. They need some of that info to do their job while traveling.
- If you are truly an international company you will find yourself in many destinations where using VPN or downloading secure content is not an option. The world is a big place and lots of business gets done in tertiary cities in developing countries. That information needs to be available on site.

I do like the "nuclear" option. Encrypt the disk, but make the computer bootable. If they ask to unencrypt, use a password that wipes the data or that changes the encryption password.

It is very sad when you hear people talking to be afraid to fly to the US in the very same tone people used to talk to be afraid to fly to USSR during cold war.

Anyway, many business are rescheduling their meetings on more friendly lands.

Good luck to you, people, for the path you are taking has only one end. Others walked there before. None of them survived. For an example, take the roman empire. When the US finally falls (and it will fall if you stay in that path), I'm afraid that you will no longer lead the world more than the present Rome (taking away the Vatican) leads the world today.

For years Securstar has had full disk encryption (Drivecrypt plus pack) that has a duress password during pre-boot authentication. Upon entering the duress passphrase, they are presented with a benign copy of windows, not the real one. Also you can change the preboot authentication welcome screen from the canned pretty version to a black screen that states "Hard disk 0 failure..."

enjoy

What about encryption programs that make their ciphertext look innocent? I recall a paper that had the ciphertext look like a sportscasters play by play description, for example. It takes up a lot more space that way, but so what?

"What about encryption programs that make their ciphertext look innocent? I recall a paper that had the ciphertext look like a sportscasters play by play description, for example. It takes up a lot more space that way, but so what?"

I don't think you even need that, for the most part. These are border control agents; not computer forensics experts. I think a hidden folder will stump these guys.

The answer for non-US citizens is simple. Never go to the US. I'm not going back - ever. Not interested, not worth it. There are a lot of other countries that treat visitors with some degree of respect.

Replying to JohnD and Arghblarg:
"You've a subdermal implanted chip?
Fine: we've a surgeon here to get it out.
Unfortunately, we've no budget for
anaesthetics (drugs, you see)..."

There is no way that a determined person will __ever__ be stopped in a quest to get information into or out of a country. (As it has not been previously mentioned, a "root kit" is yet another wonderful way to hide information. Diplomatic pouches also work great.)

The real issue here is political, NOT technical: How do we wrestle control away from the folks who want us to be in a perpetual state of paranoid fear? How do we prevent America from becoming a clone of the states that we despise so much? Personally, I believe that anti-terrorism could well have done far more harm to America than the so-called "terrorists". My political contributions this year are going to candidates who are (a) smart and (b) not psycho.

Much as it is impossible to keep children away from "bad" Internet sites, it is equally impossible to keep people away from the information that Customs doesn't like. The only solution is to educate folks to make rational, informed decisions in a sea of really nasty information and mis-information.

Sermon over. The televised water boarding will now start ...

"You are now entering the United States. Where Muslim = n****r."

Two questions: how likely is my laptop to be confiscated after returning from a 3-week trip to Europe? And is confiscation increasing, or did the media just run out of other FUD-increasing topics?

I stopped travelling to the US when they stopped adhering to a Habeas Corpus principle.

I'm more worried about being nominated an enemy combatant and being deprived of basic human rights than loosing my employer's hardware or business files, however inconvenient this would be.

I have travelled frequently to the US in the past, but see no reason to do so again.

I feel bad for those who live there and want to travel, but on the other hand; you're a country at war! Should you really travel without a helmet?

This is really quite hilarious. We have this INTERNET thing now, and they are worried about data people are carrying across some border?

My son, is an American citizen, lives in Jordan and works for a company headquartered there. After a civilian job in Baghdad for over a year he was falsely accused of black marketeering - accused by the real black marketeers - but proved himself to the Dept. of State, to be innocent.
The issue was removed from 'all' the federal computers, supposedly!!!!
He has been vetted by our federal government and is allied to the Dept. of State. His job is to procure war material for those countries in Europe and the Middle East and see that the entire shipment of equipment arrives in whatever country that has ordered it.
On returning home for Thanksgiving last year, the ICE took his computer and all his files from him upon entry even though he was supposed to be doing business here in the states during the holiday time.
If it had not been for the assistance of an attorney that had helped him in the prior instance of the false accusation, he would not have his laptop back even now. Even with all that it took over a month of constant communication with ICE and threats of court issues to get them to send it back.
When the computer was returned to me, the laptop was almost damaged beyond belief. The internal clock was set back to a time when even the MAC programs in the computer had not been developed, yet!
Fortunately I had an identical computer which he took back with him after a week here.
What caused all that problem? The accusation from the previous time - which had been fairly resolved to prove him innocent, and which had been legally required to have been removed from all government computers and agencies - was still on the ICE computer watch list!
The fact is - no one is safe from our government!

I was really searching for info on remote hard disk reading, a-la RFID....that is to say, is my hard disk being read every time I send it through the TSA 'screening machine'....and there is no mention of my concern,...either I'm paranoid or this is the wrong blog.....oops......

PGP disk is related software to TruCrypt

@Posted by: clvrmnky at February 12, 2008 03:51 PM

I am glad to see at least one other person on the globe understands the correct approach.

I want to suggest as a possible additional approach for consideration.

in io.h
struct _finddata_t
{
unsigned attrib;
long time_create;
long time_access;
long time_write;
unsigned long size;
char name[260];
};

that last line tells us that we could have null ( numeric zero in electric impulses eqauates to null in that linguistic ) following "Nimwit.game" leaving 248 places for some determinsitic finite automa. Such a file name could be on a thumb drive packed with letters home and actual, valid personal business of you operative so that if operative placed in position of demonstrating the machine, then the rare but real risk of an inquisitor asking about the contents of the machine sees actual personal business being conducted. There are subtle mental effects that I learned from (*** ********) in high school that bear on the moment and he was a Master Social Engineer. He told me how he would die, someone would shoot him. Which is actually what happend.

You may see the fulltext at http://docdubya.com/belvedere/statement/index.html

For me, I would put this on a thumb drive with a plastic print reader. Most females consider emotive matters to be more important than such things as passwords and machines, the trick being that if the thumb drive is not in the machine then password is not accepted. She has her personal business on the thumb drive and that's what usually matters to them anyway, so in a critical moment this approach would synergize mental functioning.

This introduces a risk of loss of a smaller device during mission but females have an intrinsic that favors small. Such a mission as you describe has to do advanced risk management anyway so packing the thumb drive away in a side pocket of a travel bag is well within operational cover.

Take a Macintosh. That should confuse them.

Come on, all you ppl who think this is a 'security'-matter (i.e. spreading a wide web to catch random CP or to create a 'terrorist connection tree'):
It is of course nothing of the sort. If they do find something criminal it's a bonus, but the real purpose is just to 'up' the level of insecurity in the population and to normalize the act of being stopped and checked for [your favourite delinquency]... warm-up for a full on police state. (yeah, I know: you think you're already in a police state... just you wait. Just you wait...)