Schneier on Security
A blog covering security and security technology.
« Data Leakage Through Power Lines |
| Privacy Salience and Social Networking Sites »
July 15, 2009
Laptop Security while Crossing Borders
Last year, I wrote about the increasing propensity for governments, including the U.S. and Great Britain, to search the contents of people's laptops at customs. What we know is still based on anecdote, as no country has clarified the rules about what their customs officers are and are not allowed to do, and what rights people have.
Companies and individuals have dealt with this problem in several ways, from keeping sensitive data off laptops traveling internationally, to storing the data -- encrypted, of course -- on websites and then downloading it at the destination. I have never liked either solution. I do a lot of work on the road, and need to carry all sorts of data with me all the time. It's a lot of data, and downloading it can take a long time. Also, I like to work on long international flights.
There's another solution, one that works with whole-disk encryption products like PGP Disk (I'm on PGP's advisory board), TrueCrypt, and BitLocker: Encrypt the data to a key you don't know.
It sounds crazy, but stay with me. Caveat: Don't try this at home if you're not very familiar with whatever encryption product you're using. Failure results in a bricked computer. Don't blame me.
Step One: Before you board your plane, add another key to your whole-disk encryption (it'll probably mean adding another "user") -- and make it random. By "random," I mean really random: Pound the keyboard for a while, like a monkey trying to write Shakespeare. Don't make it memorable. Don't even try to memorize it.
Technically, this key doesn't directly encrypt your hard drive. Instead, it encrypts the key that is used to encrypt your hard drive -- that's how the software allows multiple users.
So now there are two different users named with two different keys: the one you normally use, and some random one you just invented.
Step Two: Send that new random key to someone you trust. Make sure the trusted recipient has it, and make sure it works. You won't be able to recover your hard drive without it.
Step Three: Burn, shred, delete or otherwise destroy all copies of that new random key. Forget it. If it was sufficiently random and non-memorable, this should be easy.
Step Four: Board your plane normally and use your computer for the whole flight.
Step Five: Before you land, delete the key you normally use.
At this point, you will not be able to boot your computer. The only key remaining is the one you forgot in Step Three. There's no need to lie to the customs official; you can even show him a copy of this article if he doesn't believe you.
Step Six: When you're safely through customs, get that random key back from your confidant, boot your computer and re-add the key you normally use to access your hard drive.
And that's it.
This is by no means a magic get-through-customs-easily card. Your computer might be impounded, and you might be taken to court and compelled to reveal who has the random key.
But the purpose of this protocol isn't to prevent all that; it's just to deny any possible access to your computer to customs. You might be delayed. You might have your computer seized. (This will cost you any work you did on the flight, but -- honestly -- at that point that's the least of your troubles.) You might be turned back or sent home. But when you're back home, you have access to your corporate management, your personal attorneys, your wits after a good night's sleep, and all the rights you normally have in whatever country you're now in.
This procedure not only protects you against the warrantless search of your data at the border, it also allows you to deny a customs official your data without having to lie or pretend -- which itself is often a crime.
Now the big question: Who should you send that random key to?
Certainly it should be someone you trust, but -- more importantly -- it should be someone with whom you have a privileged relationship. Depending on the laws in your country, this could be your spouse, your attorney, your business partner or your priest. In a larger company, the IT department could institutionalize this as a policy, with the help desk acting as the key holder.
You could also send it to yourself, but be careful. You don't want to e-mail it to your webmail account, because then you'd be lying when you tell the customs official that there is no possible way you can decrypt the drive.
You could put the key on a USB drive and send it to your destination, but there are potential failure modes. It could fail to get there in time to be waiting for your arrival, or it might not get there at all. You could airmail the drive with the key on it to yourself a couple of times, in a couple of different ways, and also fax the key to yourself ... but that's more work than I want to do when I'm traveling.
If you only care about the return trip, you can set it up before you return. Or you can set up an elaborate one-time pad system, with identical lists of keys with you and at home: Destroy each key on the list you have with you as you use it.
Remember that you'll need to have full-disk encryption, using a product such as PGP Disk, TrueCrypt or BitLocker, already installed and enabled to make this work.
I don't think we'll ever get to the point where our computer data is safe when crossing an international border. Even if countries like the U.S. and Britain clarify their rules and institute privacy protections, there will always be other countries that will exercise greater latitude with their authority. And sometimes protecting your data means protecting your data from yourself.
This essay originally appeared on Wired.com.
Posted on July 15, 2009 at 12:10 PM
• 165 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
For individuals with "company confidential" data or data of a "private medical" or "human resources" nature this sounds like the kernel of a company policy that can thwart liability issues related to laptop loss or theft. Once locked access to the data mandates a cell phone call or SMS message sent from a manager and/ or also a company security agent after jumping through some hoops. Since the manager and agent are not physically present it is harder to compel the release of the key. Dual boot or perhaps virtual machines can provide limited transient usability and some protection from total bricking the box.
And when the border guard listens to your story and replies "so call your wife right now and get the key"? It's simply not true that you have no means to decrypt your system, merely that you can't decrypt it without the cooperation of someone else, someone not in the custody of the border guards.
If your data is so very sensitive that that's a good trade off, more power to you. If you want to make a stand on principle, more power to you. If it's just data for business, revealing it to customs is unlikely to matter to your business (assuming you don't work for a business competeing for the outsourcing of that border guard's job). Putting yourself in a situation where local police are holding you while they try to extort somehting from your family is what most people try to *avoid* when travelling!
nice one. but practically, what's the difference between this and knowing the key and just lying about it?
Skorj, re-read the article where Bruce addresses your concerns about who should have access to the key.
This kind of elaborate setup will make you loose your computer at the customs. They will ask you to boot it up... when you'll not be able to do that, they'll will not listen to your story and will just keep the computer.
I believe it better to have something you can boot into and let them search than having something they cannot search.
Truecrypt Hidden Volume (http://www.truecrypt.org/hiddenvolume) will allow you to get past this without bringing suspicion by not being able to log into your own computer.
If you are using a wholedisk encryption with an hidden volume inside it, you'll even have a reason to have Truecrypt installed.
You'll keep a much lower profile this way and low profile always mean less trouble at the customs.
Or you can also use online encrypted storage (Jungledisk for example) so you computer doesn't have any private data on it. But this only work if your going someplace where you can have good online access.
If you have a travel partner, you could encrypt the disk, keep the key on a USB stick, take the disk out, give it to your partner, and go through customs separately. You have an obviously non-functional laptop ("Look, officer McDoughnut, no disk!"), he has an inert bit of PC hardware that is unlikely to elicit comment, and which looks filled with random noise if it is inspected. Unless they're specifically looking for you, they're unlikely to correlate you and your partner from among the other thousands of travelers whose stuff they paw through.
The oft-forgotten security factor (like what-you-know, what-you-have, who-you-are) is where-you-are. You could have a device, or your computer if it contains a GPS system, that won't unlock unless it's in a certain location.
When the plane lands remove the hard drive from the boot order. When the customs agent tells you to turn it on simply tell him "The machine can't boot, I am going to get someone to fix it as soon as I can" As proof you can simply turn on the computer.
What about just creating an 2 different encrypted volumes? Deniable assets are what TrueCrypt is all about and its not like it keeps a history what volume you loaded up.
If a customs agent sees TrueCrypt and asks you to load up you volume, you load up the volume that has some sensitive info that you don't mind them seeing - which is pretty easy to come by - bank statements, certificates, on-line purchase confirmations etc.
The REALLY sensitive volume they never know about (assuming you don't do something silly and leave an unknown 2 gig file on your desktop for them to question).
Is there even a way to search out TrueCrypt volumes? I'd be interested to hear other's thoughts on it.
You're making this far too difficult. I used to travel extensively, mostly just in the continental U.S., but occasionally across US borders. Right before landing, when entering the U.S., I would wipe my Master Boot Record (MBR) to prevent the computer from booting period. This requires knowledge of how to restore the MBR when you have cleared customs, but learning and practicing this is trivial. Then, if they asked me to power it on, I would defer, telling them it's okay for them to power it on.
If they powered it on, then it would fail to boot, showing missing an operating system, and I would put pressure on them asking what happened? Because they would break protocol by powering it on, and with the possibility of me blaming, and potentially suing them for breaking my laptop, this should be an easy way through customs. Even if I miss my next flight (I have to go to one of those private rooms), at least they won't get access to my data.
I never had to worry about this, but I always wiped my MBR before landing anyway.
Even better, as Mike Power mentioned a few comments back- tell them your computer is broken- it happened while on the road, and you're hoping to get it fixed as soon as you land. Because the MBR is wiped, and powering it on will confirm your story, I would imagine your probability of getting through with your laptop would be quite high. Restore the MBR when you have cleared customs, and you're back to normal.
As I read the method, it seems very good. But I see several issues with the confidant (Step 2) depending upon what countries you are visiting AND how that country views you.
If the confidant's data and premises are already monitored extensively, the other country may have the second key by the time you get there.
For most travellers, these risk should very low. If you are specifically targeted already by the other country, perhaps it's wiser to change travel plans.
Mike Power: the problem with that is that you're lying, which in itself is often a crime. Bruce's article points out a way of not having to lie.
Skorj: the NSA is not above corporate espionage using Echelon. Given the track record of the US agencies in this area, what is to stop the DHS from doing corporate espionage by seizing laptops at the border under the pretext of searching for contraband?
What I don't understand about border crossings is that courts consider computer data on the same level as physical contraband, giving customs a right to search it.
Remember that to play this game you can't obfuscate or lie; the rules are that to misrepresent about access to the data might be breaking the law.
The point is to limit, in some manner, warrantless access to your data, while also staying within the laws of the land you happen to be passing through.
Which is why Bruce had the aside about /who/ should have this key that you honestly do not have yourself.
Bruce, you should know better: http://xkcd.com/538/
The solution you propose will just make you look like a dangerous bad guy to the border guards. They want to inspect your laptop, and you propose to tell them that you're resorting to extreme measures to foil them. Very bad move.
It seems to me that the right solution is for your laptop to look like an ordinary laptop, complete with info that looks like business information, personal information, and maybe even something moderately embarrassing, but nothing that will raise their attention. Meanwhile, the actual confidential information would be stored in such a way that a casual browse through your laptop doesn't notice it. The key is that the border guards should not be aware that there is something on the laptop that they cannot see.
In my opinion the best way to pass easily through customs is to appear as normal as possible with as little reason to arouse suspicion even if they did stop and inspect your laptop. To this end I would use VirtualBox (which I use for web development anyway and have legit reasons to have installed) and have a VM that contains a seperate OS that I use when working with private data. Then inside that VM I would have a Truecrypt volume that appears to be a regular old video file amongst other video files. Sure, this is using obscurity to prevent suspicion but officers would have to go really deep to detect it and then after that push you to provide keys. Perhaps on top of this you would want to use random keys you give to someone. This way your chance of ever being demanded upon is very small and even in situations of typical scrutiny you appear "clean".
I second Joe Buck's recommendation.
Remember, the border guards can also refuse to let you enter if they want to.
Showing that you have something you have to hide from them would probably be reason enough for them to refuse to let you through. Or to confiscate your laptop.
In this case, camouflage would be the best approach.
But use the other method for anything that you REALLY don't want them to find.
Step 6 will probably never happen if you show a border guard or customs official an article about encryption. You will not get safely through customs, you'll end up on a secret list and get hassled every single time you travel for the rest of your life. As the database you're in ages (and people begin to forget how it was created), you might be simply barred entry into places you want to go.
Seems like a much easier solution is to put the data you care about on a USB drive (carried separately from your laptop) or iPod data partition. I don't think a custom agents are in the habit of checking iPods. You'd look a lot less suspicious than a guy with a computer that won't boot.
This could be the basis of an interesting startup. One sends the key to this startup which transfers it to several persons out of a set of a lot of people, randomly so that no-one at the startup know who got the key. After successful arrival, one notifies the startup which then notifies all people. Those who got the key then physically transfer it to the traveler.
This wouldn't be just plausible deniability, this would mean that one truly doesn't know who got the key.
"Now the big question: Who should you send that random key to?"
So, You assume that US Customs and Border Control have the power to question citizens of foreign countries? Really? I don't think so. The only way anybody in the USA can force some foreign countries citizens to do or say something is to officially apply for extradition and ask questions on the US soil. And thats VERY problematic, I might say totally impossible, because to apply for extradition that person should have done something criminal. Not answering to DHS questions is hardly criminal act anywhere in the world...
@N/A No, you're not lying. If your operating system can't boot, due to a corrupted or missing MBR, your computer is "broken". You're hoping to get it fixed when you clear customs, even if you're the one fixing it.
Peter: You forgot that the US hardly cares about other nations sovereignty and cares even less about other nations' citizen. (eg. Guantanamo Bay, various *ahem* regime changes)
Customs officials should typically be bound by confidentiality unless you are carrying information that is a security threat. All this elaborate cloak-and-dagger stuff assumes that there is something SO super sensitive or SO illegal on your computer that you are willing to spend this much time creating these hoops for them to jump through.
"I have no knowledge of that event, Senator.", said by many a politician with a head full of data. Just try to prove that they knew anything, or that they did not sleep through the whole review process. So far, if you can keep your wits about you, lying is the easiest way to handle a problem like this. Anyone with politicians in the government can attest to it.
I think I would do what I do at customs every time: be helpful, slow, and boring.
"Did you buy anything out of the country?" "Yes, a few things, some souvenirs for my mom, and a few books, I think it was 5 books... no, wait, maybe it was four? It was and and then ..." By that time they are already saying "ok, you can pass, just shut up". Also, having a smile on your face (hard when you had a 12 hour flight) helps a lot.
Yes they can correlate you with your travel parter if you bought your tickets together, checked in together, paid with the same credit card, and probably many other ways. If you've ever watched "Border Control" or similar program you'll see that they do that all the time with drug couriers that try to appear to travel separately.
"You forgot that the US hardly cares about other nations sovereignty and cares even less about other nations' citizen. (eg. Guantanamo Bay, various *ahem* regime changes)"
Florian: get real. The possibility that US put together massive military operation and troops hijack my grandmother from her apartement in Helsinki, Finland is how high?
Great article. Reminds me of when i was going through customs and asked to turn on my computer, I had a CD copy of Ubuntu in my laptop and it booted into the fresh live trial of Ubuntu leaving my Windows partition completely un-noticed
I don't find breaking your bootloader to be a compelling approach.
As mentioned in the article, what we know about searches are antidotes. But it seems CBP agents can and sometimes do make a copy of your hard-drive. Breaking the bootloader will not prevent this, nor prevent a naive agent from arbitrarily booting into the local image that they have created.
To me, this is more worrisome than having some agent poke around my pictures and internet history in my presence. Once an image is created, there are all sorts of questions about retention that are secret. How long do they keep my data? Who has access? Is it put on a network? Is it farmed out to a third party for processing? Is it going to show up in a few years on a harddrive from the old equipment that the DHS is liquidating?
Peter: I was referring to the fact that _you_ are at the airport, maybe sitting in one of these nice private rooms, and the US hardly cares about your rights then. Your grandmother may be safe. But you?
@Pfish - bound by Confidentiality agreements is a lot like Non-disclosure agreements... Worthless once your data is already leaked out and exposed. That's not to say they don't have their place.. Bu reliance of those documents is particularly amusing when a large number of people have to sign them.. Have fun trying to prove which one violated the agreement.
As a side note.. if docs are password protected, do you have to put those passwords in?
Another vote for Joe Buck. Unless your actual GOAL is to create a huge legal case to get the system reformed, the information would be better protected by keeping it hidden somewhere off the laptop. (but still encrypted)
I normally hate security through obscurity, but "hiding in the gigabytes of noise" has value. Would customs notice if one or two of the 40 DVDs in your movie folio didn't play, and even had a truecrypt volume on it? Would they search all of your belongings closely enough to notice a microSD card tucked away in a corner somewhere? possibly in a moneyclip where X-rays wouldn't see? Admittedly, you can "only" get 32GB in each of those, not the terrabyte you could fit on a hard drive, but how much sensitive information are you concerned about?
When I start going down this path too far, I find it wise to remember that *I* don't actually have any information really worth protecting.
"A 15lb bike needs a 25lb lock. A 40lb bike doesn't need a lock"
Also i would have to agree Pfish, going to such great lengths to hide your data makes you look guilty, not to mention could just annoy the gaurd who could make your life a lot worse. Why not just stick whatever you want hiddin in a folder, encrypt it, stick it somewhere in the depths of your OS? I doubt they would dig deep enough to find it
@Jeremy Clark Of course your operating system is on an encrypted drive. So what if they image it? What good is it? So what if they reconstruct the MBR? It's still encrypted. Your data is in tact, so long as the encryption is strong.
@Jeremy Clark Further, the whole point of breaking the MBR is to redirect the intent of getting to your encrypted passphrase. If your system can't boot, then you won't even get to the ability for them to ask what your encryption password is. Surely, this is obvious.
In UK = Not Good Idea. Failure to disclose an encryption key if requested by UK Police and Customs authorities can be classified as a breach of The Terrorism Act, for which you can be arrested.
Please don't try that in the UK. PC Plod isn't known to be very quick at getting things sorted - a night in the cells me be a callin'.
I was thinking about this, instead of trusting a person / putting them at risk / having to call them to make customs happy, why not just trust an email?
Set up a cron job on a server (home or at work) that you can't access from the outside, but can send email. Set it up to send you an encrypted file via email, and you have to check your email to get the key. Have it set up to send between 5 to 10 hours after you land random hours after you land.
So for example, I set it on one of my servers at work, it emails my work account, which I can access from a web browser if I need or want too over https. Get the file, decrypt it, vola I have my monkey key.
If I want to be more paranoid, I bring a live cd with me to prove see the laptop works, and gives me a way to access my work's web email from my laptop if I don't want to trust a public computer. Or even have the live os boot off a usb key.
The best of worlds would be to do both. Use true-crypt so that the 'visible' machine is uninteresting. Then use Bruce's method to forget the key to the 'interesting' drive. For a quick inspection, you can type in the password to true-crypt to get the uninteresting volume. If they're sharp and ask you if you have any other volumes, now you can say "yes, but I cannot decrypt it"
And the statement is true. You can attempt to claim "get your wife on the phone and tell her to give you the key," but if you've previously instructed her that you would be under duress if such a situation occured and to not give out the key, I suppose the worst thing they can do it file for obstruction of justice.
As an added benefit, you can always have your wife tape the conversation =p
Why don't just put everything in a encrypted micro-sd card. Then, just remove it and hide it. Leave your laptop unrestricted (or give the customs guard access to it), because "sometimes is better to throw a bone to the dogs, so that they leave your back alone". This way he wont think that you have something to hide.
Go to the appropriate website to become a minister and click 'ordain me'. Then tell the customs official that he'll go straight to hell (or the unemployment line) if he violates the priest-penitent privilege.
I'm an attorney and often need to travel with highly sensitive documents. I have no legal right to allow others access to the materials without a court order. In fact, allowing others access to those documents could land me in jail for contempt of court. Border guards can't overrule a federal judge or my ethics requirements. Here's what I do.
I have a second, traveling laptop with no sensitive materials. I burn a DVD (or multiple, one for each location) with a TrueCrypt file containing all the sensitive documents. I ship the DVD to my location ahead of time.
When I'm in the country, I use the DVD, never copying the contents to my computer (to the extent not automatically performed by the OS).
Before I travel to my next location, I snap the DVD into a bunch of pieces, throwing different parts in different trash cans. Border guards are then free to view, copy, etc. my computer at will.
Yes, it means I can't work on the plane. Yes, I could lose my documents and not be able to access them. It's a small price to pay to keep me out of jail.
"Who should you send that random key to?"
Sounds like the same problem Cory Doctorow was trying to address in his Guardian column "When I'm dead, how will my loved ones break my password?"
Get a USB key that has boots and can see you HDD contents. Save your work before entering the the Customs line, boot from the USB key and copy c:\ntldr from your HDD to the key...your laptop will not boot and is "broken". You are under no obligation to tell them you broken it on purpose and that you can fix it easily. After you leave customs, boot from the USB key again and restore.(could be done with a sctipt and could also be done on a Linux/Mac if you use the corresponding files for those OS's) Use something like a Truecrypt container to store sensitive data.
That should work just fine.
"Would customs notice if one or two of the 40 DVDs in your movie folio didn't play, and even had a truecrypt volume on it? "
Can't you make it (partly) playable by prepending a few megabytes of mpeg?
Similar to how you can join gif/jpg and zip together and have both parts working. (Although I figure you really need to cut the mpeg part off to get the truecrypt volume working again)
Put sensitive data on a microSD card. Slit the seam next to your pants fly zipper or fly button and slip it inside. They may ask you to remove your pants but are they going to find a tiny plastic chip inside the already stiff cloth of your stinky groin cloth after 10 hours in flight. Phew. But just in case make it a hidden truecrypt volume and store the random key in a wikipedia page as a comment (as described before here). Make sure you edit the wiki page from a public internet cafe and not your own account. Boy, this is fun.
I'm not impressed with these comments. It doesn't matter what I did or how much trouble I will get into because of the information on my computer. It doesn't matter. It doesn't matter how benign my information is. It doesn't matter.
I do not want these fascists snooping around my stuff. They have no right (I'm not a citizen of their country, or if I was the search would be considered illegal anywhere else in the country). They are not here to snoop in my documents, in my browser history, in my email, in my drawings, in my work, in my employer's work, in my client's work, in my tax return, in my personal software, in ANYTHING.
I refuse to let them have 1 unencrypted bit of this data, because they don't have any right to look. And if they in fact did have a right, I refuse to let them look. I will not be invaded in this way. So lets take their ability to invade my privacy out of their hands.
They have no right. Alternatively I refuse to let them have that right.
So no I'm not being dishonest or violate any of my principles, they will see nothing from me, and they have no business to see it.
There are several ways to encrypt, hide, protect, and obfuscate the sensitive data and divert access to it. Anyone can get in and out of the country with a great probability of not having to disclose their files.
The real issue is that it's absolutely alarming that we even need to worry about things like this in the first place, and the real question is that what can we do about that!
I can't think of many reasons to make any border officials pretend that you could actually cause trouble by carrying a bit stream stored on a hard disk over a border -- in particular, a bit stream that you can easily opt out to carry and, instead, securely download from your server via the internet.
I can't think of many reasons and they veer closer to any conspiracy theory crap than I care to believe in.
My real problem, is that I often travel with several DVD's/TV programs ripped to my hard drive (legal in my country of origin as I own the DVD/TV recorder) for watching on the outward flight.
In the US though where the DMCA is in effect I could be arrested for infringement if customs starts my computer and sees some ripped video.
My solution: My laptop has two memory card slots, One SD and One Compact FLash. I have an 8G CF card and many 2G SD's which normally reside inside my cameras. So before departure I load the video files onto the CF card, inside of a truecrypt volume made to look like a broken camera recording. One of the SD cards contains the portable truecrypt application and both are put in my cameras.
So my laptop is clean, my cameras look fine except for seeming a bit short of space.
It's a shame we all go through airport security as suspects these days.
Would that US policy makers had heeded the pre 9/11 security advice given to them; had they listened, and acted, the world would still have friendlier skies - and friendlier security.
I can't be the only person who avoids travelling to America these days...
Another loud amen to Skorj, Emmanuel Pirsch, Joe Buck, and Basil. Skorj got the key point right up front: "Putting yourself in a situation where local police are holding you while they try to extort something ... is what most people try to *avoid* when traveling"! (And Joe Buck points out the key balance of power, via XKCD.)
Playing on technicalities is not going to help you against a border guard who is authorized and all-too-willing to declare you a criminal on the spot.
AIUI, Truecrypt has duress password capability. So make that point to a nice, clean, normal, utterly unsuspicious partition. When asked the password, enter the duress password. The guard sees something utterly unsuspicious, and you go on your merry way. Direct lying isn't required unless they get very technical.
You could use one of Sun's SunRay boxes. It is a very thin client which has no hard drive and needs a network connection to be of any use. Its memory is volatile. All you need is a network connection and you are back in business. Sun employees use these worldwide. If your flight had WiFi, you could work on the plane too. Sun (and others) just configure them to hit the corporate VPN. No, I don't work for Sun or Oracle either.
Travelling through a customs checkpoint you'll find that if you do anything to annoy or outwit the people checking you then you're either in for a very long wait, a very thorough check, a seized laptop or refused entry. They do not care too much about the rules, it is all about the power and the appearances of power, if you thwart them they will make your life miserable.
Far simpler just to not have the data on the laptop than to come up with all these armchair secret agent techniques.
Your solution sounds entirely too complicated.
I would rather just have two laptops. One that I travel with that is light on information and would be safe to give away or have stolen, and the other which contains secret data that you don't feel comfortable having compromised at the border by unscrupulous border agents.
I've had laptops stolen, searched, etc and I feel more safe having a laptop stolen/searched when I know that there was never anything of value on it to begin with.
I like the encrypted SD card solution, myself.
First, because you can get 16GB cards reasonably inexpensively now. You can have two copies of your data, encrypted and stored in a space with smaller cubic volume than the top joint of your thumb. You can carry it in your phone, your camera, taped to the inside of the battery compartment of your alarm clock, wherever.
You can even follow Bruce's suggestion about key transport to make sure that even if someone *does* find the media, they can't decrypt it, and you don't leave yourself without a terminal :)
If you're carrying a hidden SD card don't you think they are going to confiscate your laptop?
Wipe your memory, leave a trail of clues for yourself. What a great movie plot! Oh, wait. Paycheck, Memento, and Push got there first.
Avoidance of lying is an important goal, and you have suggested simple clean solution for optimizing around that. For practical purposes, some kind of dual boot that avoids questions in the first place has less risk of travel disruption (for your laptop or for you).
I'm using a netbook without a hard drive. I kept the soldered-in flash drive empty and use a permanently inserted SD card instead.
I wonder whether it'd be a solution to swap out the SD to the digicam, then tell (the truth) that the computer is empty?
(follow-up) Anyways, I wonder why normal customs procedure now urges every tourist to literally smuggle their data around customs.
On the other hand, they could demand tolls for carried data by the gigabyte. #hint
I don't understand why a hidden or even just obfuscated encrypted partition is not enough?
I've got a netbook with an encrypted partition. Guard says "Turn ze netbook on, so I can zee all your zecretz!" I dutifully turn it on, it boots up, guard can fiddle around all he likes with the Ubuntu Netbook Remix interface. Anything sensitive is kept on an encrypted partition that you'd have to know where it is to see.
Sure, if he handed it over to the NSA, I'm quite certain they'd find it in short order. They've got clever people there. Border guards are not so savvy. The goal is not to prevent the NSA from being able to crack your machine. The goal is to prevent the NSA from noticing your machine enough to want to crack it.
Here's a scheme that works for some use cases, inspired by 'D's method.
You start of 'at home' (main office, whatever) with a bunch of confidential documents which you want to access and edit during your trip. You copy them to your laptop. During the trip, all edits are saved as diffs to the original files. Before customs, you encrypt the diffs using a key derived from the original files, and then securely delete the originals. Now you can only access your edits when back home and in possession of the originals again.
For a lower level of security, don't bother encrypting the diffs - if the edits are small scale, they'll only be marginally useful. Or encrypt them with a key that you do know, so you can decrypt them if the customs agent gets heavy on you.
Now that I think of it, I prefer an earlier poster's variant on Bruce's method: make a secret key while still at home, copy it to the laptop, delete it before customs. It reduces the chances of a failure due to your key nor reaching its destination.
You can use a hidden encrypted volume and just don't tell the customs agent unless asked. This keeps the 'don't lie' policy intact while minimizing the odds of hassle.
The MBR method can also be a poor-man's hidden volume method. Have a 'real' partition and a 'decoy' partition, and edit the partition table to determine which one the computer uses. (They might be alert to this one though - I wouldn't count on it.)
If the data is important enough to be worth risking interrogation, delay, arrest and blacklisting by antagonizing customs officials, it's important enough to upload to encrypted storage before you leave, deleting the data and online storage software from the laptop, ready for download later.
Why would you risk all this just to save some storage and bandwidth charges and a few minutes of download time and a bit of work time on the plane? Find something non-confidential to read instead.
Since customs may still seize your laptop whatever you do, you are going to need an online storage copy anyway - why not just make that the only copy while you are crossing the border?
I can't think of many cases where one needs to work with so many gigabytes of confidential data that it's infeasible to actually download from online storage, AND one chooses to have the working copy on the laptop hence accepting the possibility of losing access due to arbitrary confiscation when crossing a border.
Surely the better option in that case would be to work with the data on a remote server, rather than on the laptop? It's cheap as chips now to rent a reliable server with lots of storage. Not having the data on the laptop in the first place immediately solves the problems of customs, theft, and re-download time.
Unless you're trekking the Sahara with your laptop, there can't be many cases these days where you need to work with multiple gigabytes of data, yet you can't do it on a remote server.
"I don't understand why a hidden or even just obfuscated encrypted partition is not enough?"
There are lots of ways to fool customs. I am presenting a way to fool customs without lying. Lying to a customs officer is a crime in many countries.
The more I think on this, the more I believe this problem is being looked at the wrong way. Consider the "guard" as a security resource. On his own, he's pretty weak from the larger security perspective. Paid little, dealing with an unsympathetic public, and most of his work is drudgery. Chances are, he has very little training even in what he's supposed to be doing, let alone anything like computer forensics or investigation. If he did, he'd have a better job somewhere else. This is not specific to border guards, but virtuall all guards, from the mall rent-a-cop to the factory night watchman to the airport screener.
The guard's power, as an abstract security resource, is his ability to call in help. When they find something suspicious, they call in support, whether it be local police, INS, FBI, or whatever.
The key to getting past a guard is to not appear suspicious in the first place. If your notebook appears mundane or, at most, novel in an unthreatening way, he'll move on to the next person. It may even be ideal to be running something like Ubuntu Netbook Remix, it's different from his usual Windows understanding, but the interface is straightforward, user-friendly, and unthreatening, but which he will have no knowledge of how to actually poke around properly.
If, on the other hand, your machine boots to the linux console, like that case in Boston where a computer was confiscated as suspicious because it was a "black screen with white font where commands are typed", he'll become suspicious and call in help.
The best way to get past the guard is to not have him call in help. Claiming that you have an encrypted computer that you, yourself, cannot unlock is going to send off all sorts of alarm bells. It's like the case of the Ron Paul Campaign Manager who was detained because he had a ton of cash on him (that were proceeds from a rally). He did everything according to the law, which was proven later in court, but he had to go through an awful lot of trouble in the meantime. You may be telling the truth that you can't unlock it, but the guard isn't going to believe you.
"There are lots of ways to fool customs. I am presenting a way to fool customs without lying. Lying to a customs officer is a crime in many countries."
I don't follow you... where is the lie in having a hidden or obfuscated encrypted partition?
There seems to be a bit of confusion of the two reasons for doing this.
1) You have sensitive/confidential information that you/your employer or similar don't want snooped on. In that case, surely the best scenario is to encrypt that data
2) You, like most of us I imagine, don't believe customs have the right to pry through our personal information. It's much harder to gather all this information together into a single, os separate location/volume and keep it encrypted (at least on windows). This is where I believe Bruce's original post was aimed. However, this does raise the point that by effectively making your computer unusable you attract all the merry attention you wish you didn't have to put up with in the first place (but at least that draft of your novel is safe!)
So a couple of thoughts... It should be *much* easier to gather personal information from consumer os' into a single location and clean it all up, encrypt it.
One possibility is to use a virtual machine as your main personal machine, and keep that on an encrypted volume. Seems a little weird though..
Also Employers could make it corporate policy to keep machines encrypted during travel. Once this is common, you won't attract as much attention.
There should be a P2P-like service that would let you hurl your random key into the "cloud" so you are able to retrieve it only after N time units. Or you'll have to connect from a specific location. But it's getting too complex. I wonder if they can seize memory cards.
How about this solution? It just came to me, so it might be full of holes.
1. Remove all icons from your desktop.
2. Use paint to create an image that looks like a screen with a message like, "Unrecoverable error! Bad boot sector 1." (Or something about the MBR, whatever.)
3. Make that your desktop image.
TruCrypt is your friend (and free). It allows nested encrypted devices, files as volumes, using free space as volumes, all with different keys if you'd like.
So you can use one key to unlock your drive... you will only see your primary volume. You can then mount (manually) your data. Unless you know there is a hidden volume, and know the passwd, it just looks like random bits on free disk space.
You can have a hidden volume encrypted, with a file of random bits on it encrypted as a volume within that, and so on. Without the passwd, there is no evidence that a volume even exists.
@ Michael Seese,
It would be easier and safer to stop the windows part of the OS starting up and run an application that reported that the hard drive had failed.
This would be inline with the way the more popular BIOS's work, and actually belivable in many respects as hard drives have a habit of not traveling well.
Better still if you have a laptop that allows easy access to the hard drive actually disable it in some non obvious maner (ie the power connection).
Every Living Person Has Problems
"Remember that you'll need to have full-disk encryption, using a product such as PGP Disk, TrueCrypt or BitLocker, already installed and enabled to make this work."
I just want to point out that you can get full disk encryption using dm-crypt on Linux, too. You don't have to buy a product or mess with 3rd party tools.
Many commenters seemed to be unaware that you basically have no rights when going through customs. The worst country in the world for entering travelers, AFAIK, is the USA; though I've never tried North Korea and it might possibly be worse.
My personal solution is never to enter the USA carrying confidential data. Ideally, avoid entering the USA at all. I appreciate that this solution may not be easy, either for Bruce or for many of his readers, but I suggest you consider it. Obtaining legal permanent residency, even citizenship, in another country is not impossible.
Assuming that you don't actually need use of the laptop on the return flight, take the hard drive out and mail it home if you're really concerned about the security of your data. It's a federal crime to tamper with the mail, the hard drive probably does not weigh very much, and if you keep differentials of the data on your computer then you probably won't lose any.
Or, since most of the data that someone is likely to have which is sensitive, encrypt it all and put it on a memory stick. Mail that home right before you get on the plane and there's nothing for them to find or search. If you're traveling with a companion who happens to be taking a different flight home, hand them the hard drive or memory stick. They won't have the laptop to read it, and they won't know your key for it either. They have the same plausible deniability but without an actual laptop to confiscate.
Isn't it a heck of a lot easier to just use a smart card?
Mail it home/somewhere safe before you leave (and naturally have it password protected too, just in case).
Having a backup copy and reformatting the one you're carrying works too, even more safely (but at the cost of extra effort).
And, of course, make your primary plan a hidden TrueCrypt partition and not volunteering any information unless asked.
What about just deleting the files in questions and un-deleting them later on?
NB: I obviously don't mean secure deletion here ;-)
Sure, forensic inspections would discover the files but I don't think that they commonly do this at borders, do they?
> > There are lots of ways to fool
> > customs. I am presenting a
> > way to fool customs without
> > lying. Lying to a customs
> > officer is a crime in many countries.
> I don't follow you... where is the
> lie in having a hidden or obfuscated
> encrypted partition?"
Customs officer asks you: "Do you have any hidden or obfuscated or encrypted data on that device?"
"Even if countries like the U.S. and Britain clarify their rules and institute privacy protections, there will always be other countries that will exercise greater latitude with their authority"
Which ones? Frankly, I don´t quite like the "we Anglo-Saxons know and do best" message. Seems to imply that other countries will fare worse than the US/UK in mistreatment of personal rights, which is quite difficult to find right now.
Let´s just acknowledge: US and the UK have just beat East Germany in fields like data and privacy protection, and are quickly moving towards Nazi Germany. The mere fact that a law-abiding citizen has to go to the lengths outlined in this thread just in order to keep his/her personal data safe from the governmente is a strong evidence to it.
And needless to say, this fashion will quickly spread to other countries. Sigh.
> The possibility that US put together massive military
> operation and troops hijack my grandmother from
> her apartement in Helsinki, Finland is how high?
Very small, considering that the Finnish equivalent of Kevin Mitnick has a good probability of getting the key from her without much ado....
And actually, she probably didn't commit the key to memory and it's written down somewhere in the apartment. If I didn't find it on a first surreptitious search, I'd plant hidden cameras everywhere in her apartment and fake an email from you explaining how important the key was --- she's almost certain to go check again that she still has it, revealing its (possibly hidden) location.
All this assumes, of course, that I'm convinced the information the key protects is worth all the work....
Do you realize that we are ALREADY living in an as-real-as-it-gets police state?
Do you realize that it was easier to carry private data around in the good ol' USSR?
Do you realize that living in a police state always involves lying, misdirection, and evasion - just to stay safe from the thugs in uniforms?
Who the muck cares about the laws anymore? There's no more any moral obligation to be decent to the State and its enforcers.
Oh, and the simplest solution to the search-and-seizure problem is not to carry anything physical. Just a password within your cranium - where its existence cannot be seen. You can always get to your data via the Internet. SSH and SSL are widely available, too.
Minor problem -
If you're changing planes, getting off of one and onto another, a laptop that won't work is considered by most security concerns as a bomb.
PS - Anecdote: Back in my days as a Macintosh technician, I got to repair a dead Powerbook that one chap had tried to take through El Al security while dead. Well, eventually they gave up trying to take it apart, and let him keep it, but oh lord it was a wreck when I got it. S.
Haven't you people heard of FTP? Upload the sensitive shit to an ftp shit and wipe from the HD.
This (http://www.debianhelp.org/node/1116) looks pretty cool, though I haven't tried it myself. The idea is to have a linux /boot on an encrypted usb stick. When you boot your laptop with the stick in it asks for your password and then you have access to the encrypted partitions on your laptop. When the usb disk is not in you laptop it boots straight into (unencrypted) vista. Change the background, put some files on the desktop and in "my documents" and you look like a vista user. That way you won't have to convince them that you are not an evil hacker for simply running linux.
Still, when they ask 'do you have an encrypted partition' you'll have to lie I guess. But with this setup they'll probably won't ask right? Just your average vista user.
There are use cases where the person possessing the laptop SHOULD NOT have access to the information on it. I'm thinking bonded courier. Given an item to deliver but who the items owner doesn't want them to be cognizant of.
@Ipod - or a kindle, they're aren't looking now but they will wise up in time
In general customs inspectors are good at looking for small items of value in all the nooks and crannies people have with them. They may be momentarily clueless but I wouldn't bank on that.
Everyone who says use the web (online storage/ftp/whatever) to bypass the human are making a big assumption on their interconnectivity in the foreign land. Countries with an interest in keeping specific information out of their citizens hands are getting sophisticated (Great firewall of China anyone?)
@averros "...ALREADY living in an as-real-as-it-gets police state"
Unless you personally an anarchist, uh, no we're not.
"Who the muck cares about the laws anymore? There's no more any moral obligation"
When people talk like this I assume they make the big exaggeration to excuse their own behavior. I choose the way I act based on my own notions on the rule of law and what's right. I don't (well try not to) allow the mis-behavior of others to be a factor in my actions and choices.
Cool site from your benevolent rulers: http://www.nsa.gov/ia/guidance/...
Just remember to do a chkdsk c: /f /r before switching off the laptop for the last time. Assuming that you boot from c: then chdsk runs at the start of the next reboot.
You can't interrupt it and the customs people will have to wait until it completes. They don't have unlimited time for all passengers and this increases your chances of them not having the time to look in detail at all your data.
You could explain that you were just making sure that your laptop was working OK before travelling and forgot that chkdsk runs upon reboot. Just make sure c: isn't too big or you'll be waiting for hours!
My company has a number of clients who regularly travel internationally for business (which includes financial and security industries) and on behalf of a number of their clients (including the Olympic Committee, religious organisations, governments, etc).
We have developed a simple protocol which involves removing the notebook hard drive, imaging the drive to one of our data centers for access remotely via VPN as a virtual machine, and the drive in the notebook is thus "clean" with no data, and essentially stays that way throughout the trip. The image is re-burned to the hard disk and re-installed upon return.
"Step Five: Before you land, delete the key you normally use. At this point, you will not be able to boot your computer. The only key remaining is the one you forgot in Step Three. There's no need to lie to the customs official; you can even show him a copy of this article if he doesn't believe you."
What do you think the next suggestion of the custom official would be after showing him the article and explaining that you provided your key to a third party due to which you 'cannot provide the key' ?
I really wonder how you think this would help anyone protecting their data from the customs official. After all, you provide information about how to obtain the key, and you inform the official that you are intentionally hiding data from him.
I guess you will either have to provide the key or accept the fact that he will confiscate the equipment even longer for investigation due to your 'suspicious' behaviour.
Ensuring that your encrypted data is stored in a hidden partition will be far more effective, as that way the customs official will not know that there is anything to be found, and there is no reason to suspect you.
"Step Six: When you're safely through customs, get that random key back from your confidant, boot your computer and re-add the key you normally use to access your hard drive."
I don't think step six is realistic, as step five will most probably result in the confiscation of your equipment, due to which you no longer have your computer with you when you're through the customs. Even if you still have your computer with you, it is quite possible that step five will cost you a lot of time, due to your behaviour, and the reaction of the customs official.
"Still, when they ask 'do you have an encrypted partition' you'll have to lie I guess. "
Don't lie. Just ask the custom official to explain you what the heck a partition is and play dumb. Many people don't understand these technical terms ? ;)
I think for MOST people, the "download the data later" policy is best. If there are things I want to work on on the airplane, so be it. I bring those on my hard drive. However, what I do not have is ALL of my data. That is left safely encrypted elsewhere, and does not cross the border on my laptop. Thus, if the laptop is lost, stolen, or impounded by government officials, at worst I have lost only the data I am actively working on, not my entire corporate repository.
How many GBs of data are you actually needing instant access to?
I live in Sweden and our constitutional rights have recently been raped by our government again.
On top of this GB, France and USA are lobbying our government to introduce more and more online and offline surveillance and data mining, driving us into integrity darkness.
I am now forced to tunnel everything possible thrue VPN/SSL tunnels and I would do the same in this case.
If I don't have the need of running complex programs during the trip I would bring a laptop without a harddisk drive, boot of a BartPE live CD and tunnel all outgoing and incomming traffic to a server at home or at work. The files I need are stored there and if I have the need to surf the Internet I can do that by tunneling RDP to my server.
If asked why I bring a laptop that "can't be used", I would simply tell them the truth.
Come on folks ...
remember the goal
(arrive, with laptop, no lost data)
remember who you're dealing with
- They expect bootable, make it bootable
(shove in a liveCD, boot flash, whatever)
- They want to look, let them look
- If you think you're being targeted, do what Bruce says
- If you are a normal goof butt, then use a Trucrypt hidden volume, or flat-file encrypted "partition" (pgp disk, trucrypt)
- If you are really concerned, then encrypt your data + plop it in the cloud (s3, dropbox, etc.) and pull down when remote.
If you're changing planes, it's only an issue if you have to go through a security checkpoint again. In most terminals, once you pass through customs, you're still inside the same terminal and thus do not have to go through security again.
I've been through a few smaller airports where they have a second security scan at the gate, but very few.
As for turning on a laptop, I haven't been asked to turn one on in about 10 years, I think the scanning technology has gotten good enough that there's no need to power it up.
"They expect bootable, make it bootable"
That's exactly my point of wiping the MBR. It's no longer bootable. Now, the goal has changed. The goal is no longer to snoop for your data. The goal is now to see that your computer powers on, and is in fact not a bomb. If they want to still image your disk, let them. It's encrypted, remember. And when you've left, no data has been compromised, and you can restore bootable operation.
Your laptop will not be taken, no data has been compromised, and you've beaten the system. You're not lying telling them your computer won't boot or is broken. Powering on the system will verify this.
You forgot the part where send half of the random key to two trusted/priviledged individuals, after encrypting it w/ the Solitare cipher. :)
How about having a dual boot with a really quick bootup sequence and going into a sandbox with data and files you don't care about? When you need to get your stuff just edit your bios or disk boot order or press a hotkey.
In the US, this won't matter whether you know the key, your spouse knows the key, or your priest knows the key. The courts have ruled that it isn't a violation of your 5th amendment rights to compel a suspect into decrypting the data on their hard drive so long as there is suspicion of illegal content on it as they did with the kiddy porn guy a while back. The privileged relationship between spouses presumably would not hold up in this case either - while they couldn't compel your spouse or lawyer to testify against you, they could be compelled to decrypt your drive.
I believe the key in the case was that the border patrol guard had witnessed illegal content in the first place. Without reasonable suspicion (beyond simply saying you can't see my data) I doubt that a court would compel disclosure at this time, but you might find yourself on a no fly list or with your passport magically revoked.
I know I'm late to the conversation, but a few thoughts:
If you're worried about your laptop getting searched because you have illegal information, just don't have illegal information. Fairly simple. I don't know why people think that they have a right to violate the laws of a country that they are going into just because they want to.
If you're worried about getting searched because you want privacy, or you have commercially sensitive business information, are carrying Personally Identifiable Information of third parties for your job, etc. my plan would be:
a. Structure your disk into 2 partitions, one for the OS, and one for data (including swap, /etc, /var, /home, etc. for those of you on Linux). Encrypt the data partition.
b. If requested to decrypt it, explain to the nice man as politely as possible that you are not authorized to disclose any of that information to them therefore you can't disclose to them the decryption key.
c. If they insist, politely explain that they should feel free to take an image of the disk and subpoena your company for the decryption key.
Believe me, customs agents understand bureaucracy and would not likely think you are evil just because you aren't free to disclose the key, especially if you give them an out.
oh, and d. If they physically abuse you, tell them the $^#$#@ key.
With this scheme you are not technically lying, perhaps, but you have obviously actively contrived to hide materials in which the border has an interest. That is hardly going to be treated differently by law enforcement (or by anyone, actually, concerned with practical ramifications of your actions). Can I rob a bank, give the stolen money to a trusted recipient to hide, and then expect the police to forget about the money when I (truthfully) claim that I don't know where it is?
"You forgot the part where send half of the random key to two trusted/priviledged individuals, after encrypting it w/ the Solitare cipher. :)"
You have almost but not quite hit on the solution I sugested on a blog (it might be Bruce's but cannot find it at the mo).
If you used shared secrets you have deniability.
Let us say you have five friends in five different countries (but not all EU due to EU arrest warrant)
That do not know each other...
If you use a three or higher of five sharing system then you can disclose the any two of the names.
Even if they are unscruplesly honest and send the two pieces to the authorities it still does no good.
As you know only the full set of people then as they don't know each other then tying up by the authorities will be hard. You can say to the judge that you have no idea if they are being honest or dishonest as you used (the system you have said).
There is another way some systems force you to have multiple containers within your encrypted partition they also force you to have several passwords...
You can encrypte the "public stuff" under key A and the confidential stuf under key B.
Secret share both keys to your friends and have a code word for Key A or Key B. You can call KeyA your duress key and keyB the full key. If you or others do not give the correct code word then your friend sends the duress key to you...
No doubt others can think up other systems but hey don't tell with your own name less you have a liking for flashlights/tourches black rubber gloves and rubber hose pipes and all those other fun toys of mass detesticaling ;)
How about the same random keymashing password that you honestly won't know but using a really weak encryption scheme that you can crack later?
"If you're worried about your laptop getting searched because you have illegal information, just don't have illegal information. Fairly simple. I don't know why people think that they have a right to violate the laws of a country that they are going into just because they want to."
This is the "If you haven't done anything wrong, you have nothing to hide" fallacy. How do you even know what is "illegal information" in your destination country, and what isn't? Hope you don't keep any porn on your computer, because the U.S. working definition of obscenity seems to be, "the judge knows it when he sees it".
I also agree with the above posters that Bruce's scheme, while interesting from the point of view that you can not be compelled to decrypt the data and you can tell the customs officers the truth about it, is not likely to be very successful in practice. They will confiscate the laptop, possibly arrest you and add you to every "secret" list of "almost-terrorists" to discriminate against later (No-fly or SSSS screening, extra customs checks, whatever).
Border and customs agents of most nations can also turn you around deny you entry *for any reason whatsoever*. Even if there is no specific rule you are breaking, they can easily stretch one to make it fit. Remember, in a border crossing, they have all the power -- the power to interrupt your travel, to make your life in the future miserable, to confiscate your equipment and waste a bunch of your time and money.
The only winning move, is not to play. I would wipe and reinstall the laptop before the trip, and specifically copy only the non-sensitive data that you need to take with you and are willing to have poked through. Maybe use full-disk encryption (to protect the data if the laptop is lost or stolen), but if they ask you to boot the laptop and then type in the password, don't hesitate, just do what they tell you.
Then if you *really* need to bring data with you that you don't want them poking through, put it in an encrypted container on an SD card in your camera disguised as a movie file (or whatever), and if you feel it is necessary, use Bruce-like techniques to ensure that you don't have the key to decrypt it while passing through customs. But obfuscate that data so they won't even know it exists, won't even know to ask you about it, etc. If they ask if you have any "encrypted partitions" or "hidden partitions" you can truthfully say no. Steganography for the win.
Avoiding lying to the border guards is a commendable goal, but not realistic. If they decide that you are a bad guy, they can make things real bad for you even if they can't pin an actual "crime" on you. The real goal should be, getting through customs without getting hassled too much and without your data being compromised. You then go on your merry way and the customs guys are none the wiser.
Even if your real goal is ideological (you want to oppose the encroaching police-state), it seems very unwise to pick a situation where the power is wildly swayed to their side (like when being searched by a customs officer while trying to gain entry to the country) and stand up and proclaim yourself to them as a target.
> This is the "If you haven't done anything wrong, you have nothing to hide" fallacy. How do you even know what is "illegal information" in your destination country, and what isn't? Hope you don't keep any porn on your computer, because the U.S. working definition of obscenity seems to be, "the judge knows it when he sees it".
Actually, no, it's not. It's a reminder to adjust the security to the threat. If the threat is jail time if the authorities find the content on the computer, then just don't have the content on the computer.
If its valuable commercial data, there are other options available.
Originally posted here 08 JUL in reference to Homeland Security, imagine if this is what a U.S. citizen on "homeland soil" with all of his "papers in order" went through, what a border crossing with either the U.S. Border Patrol/Customs or another country could be like:
one could encrypt some files and store them on an SD chip in a camera (that has a few pictures on it)
no camera that i know will show that there's a file (unknown filtype), and if customs wants to see some pics - no problem
PS a nice feature would be a camera that does encryption by itself, so noone but the owner could use the pics (e.g. lost/stolen/'law-enforced' camera)
guess moo had the same idea (written down) earlier!
my read-before-write error
politicians don't lie they just aren't totally candid.
You will not get safely through customs, you'll end up on a secret list and get hassled every single time you travel for the rest of your life. As the database you're in ages (and people begin to forget how it was created), you might be simply barred entry into places you want to go.
That's already happening isn't it?
I just wanted to say I think the idea behind the list is elegant: don't send the key with the lock!
We have seen an ongoing debate in the US and UK about whether the state can require people to divulge their private keys and, if so, what can be done to people who refuse to comply. This list nicely illustrates that if people are able to prepare then there is no reason why they would have their private keys. I was sad to see so many people miss this point and so I wanted to stress Paeniteo's nicely worded dilemma:
Customs: "Do you have any hidden or obfuscated or encrypted data on that device?"
Many have suggested:
Step 1. Don't travel with your data. Put your encrypted data into the cloud, download it when you reach your destination.
May I suggest taking this one step further:
Step 2. Don't travel with your laptop either. Leave it home. So when you go through customs, there's no laptop at all to raise alarms. When you reach your destination, buy a netbook (cheap nowadays), download your data, do your work. When it's time to return home, re-encrypt and re-upload your data into the cloud. Ship the netbook home separately (who cares if it takes a couple weeks). Later, sell the netbook on eBay :-), give it to a deserving individual, or donate it to a charity.
What about doing work on the plane? Just say no. Use the time to sleep, to read a *real* book, to get acquainted with your seatmates, to write with pen and ink in your offline journal.
Obviously, this scheme won't work if netbooks and Internet connections are not readily available at your destination. But I sense a business opportunity here. Imagine a kiosk in the airport, safely past customs and security, where you pay a deposit and pick up a netbook or laptop. When you go through the airport on the way home, you turn in the computer and get your deposit back, minus a rental fee. The company could even provide the encrypted cloud storage: you upload your data before you leave, they download it for you and load it into the computer you will pick up at the kiosk, all ready to decrypt.
Look for my new service to launch as soon as I get some venture funding.
My solution is to use OS X's user directory encryption to encrypt my actual home directory, create a dummy user, and then set up the system to boot into that dummy user, skipping the login screen. You can create some dummy data for that fake user to make it look convincing. If the notice the other user, you can lie, or tell them to get bent and head to a friendlier country.
Ponders adding one more step to the ideas above...
So a VPN/SSH/etc isn't a good solution due to very large amounts of data and/or low speed internet connectivity.
Bundle your files up, TrueCrypt 'em, use split to break them up, and give one of the split files to your privileged co-conspirator, with a "Do Not Deliver Before" email from your desktop PC's Outlook, mail it to your hotel, etc.
Now it's not a matter of plausible deniability -- you honestly don't have all the parts to make an decryptable volume. You have 90% or 99% but you don't have everything even if you have the password and the keyfile.
On my XP laptop I just did this quick test:
Create TrueCrypt Volume called test_truecrypt_split and put some files in it. (10MB)
In UWin korn shell I ran "split -b 1048576 test_truecrypt_split"
That created files xaa -- xaj
uploaded xaa via ssh to a linux box.
In UWin I ran "cat xa* >> test_truecrypt_split "
Mounted it with TrueCrypt, opened my test files :)
It doesn't solve how you work on the files on the airplane, but it does mean you can carry 99% of the file with you and only need to obtain the other 1% once on location.
Take appropriate precautions like using sdelete to securely delete the original truecrypt partition and the filepart you uploaded, I'm pretty sure even the NSA would be challenged to try an recreate the data with just the laptop alone.
"There are lots of ways to fool customs. I am presenting a way to fool customs without lying. Lying to a customs officer is a crime in many countries. -- Bruce"
Unless you are living a life where you absolutely, unequivocally and consistently don't lie on any matter ever, this is a fictitious and self-imposed problem.
As Greg House says, "everybody lies".
Lying can be a crime at customs only if it is practically provable that you lied.
Imposing on yourself the obligation not to lie to the minimum-wage jerkoff power-seekers who populate TSA drone slots, is excessively onerous. It is like insisting that one self-perform a lobotomy in order to see the world through the eyes of an American.
Multiple hidden volumes, VMs within the hidden volumes, steganography... and multiple different encryption algorithms... you can do the whole lot from scratch in two hours and send the keys as one continuous textstream to alt.anonymous.messages (there should be about 15 keys, all told). All you need to remember is the time, date, and title of your post.
If one of the entry droids says "Do you have any encrypted data on your PC", simply say "Nope... keep it if you want."
And of course, use the words "Meet me at midnight and I will give you the plans for the atomic missiles" in all e-mails, and append a random string of gentext... just to give the NSA another piece of useless traffic on which to waste resources.
And if anyone else says "You ought to obey the laws of such-and-so a country" I will scream. "Laws" are the collected thinking of a bunch of self-interested career parasites who ought to be killed to a man, and I never agreed to be bound by any of it.
No-fly list member (why the truck would I want to visit the USSA anyhow?)
On "You ought to obey the laws of such-and-so a country": that is impossible, because you don't know what they are. You don't even know all the laws of the jurisdiction where you live. Try this experiment: ask a qualified lawyer, who lives in your jurisdiction, HOW MANY laws there are in that jurisdiction. The lawyer, if truthful, will reply that he/she doesn't know.
You ought to avoid harming your fellow humans, and avoid annoying them as far as practicable. It's prudent to stay out of the way of law enforcement, anywhere - but there's no "ought" about that.
Man you guys make your lives miserable.
Back up everything to Carbonite and the only thing left on your computer would be the operating system and a letter to Mom. when you get to your location download what you need.
Simple easy non threatening.
@Ward S. Denker
The problem with removing your disk or using a USB stick and giving it to a friend/colleague on a different flight is that you potentially give them a lot of hassle. It starts when they check-in and are asked "And has anybody given you anything to carry on the flight for them?"
Wouldn't this put you at risk of violating the RIPA law in the UK?
Any Lawyers here - does part 53 (4) (a) of the act provide a suitable defence to this? (The act can be read here: http://www.opsi.gov.uk/acts/acts2000/...
Wiping all other keys is excessive. You can have a recovery key in a not too easy to get to location at home. Example: A bank vault. I had a locker in a bank vault for some years (surprisingly cheap!) that I used to store backups. To get at it I had to show up in person, show ID and have the second key (the first one is with the bank). Basically only you can access this locker, and only in person, unless a local judge signs a warrant. This may still leave you with a brick for the remainder of your travels, but afterwards you can recover.
Incidentially, to retain some computer capabilities, I would put the encryption on an USB stick and work on it, using a clean base system. (Keep that handy, I have one on a spare laptop disk for traveling.) At least under Linux without swap or with encrypted swap, the system will not let your data lay around in random locations. This may be an issue with Windows or a Mac though.
And last, depending on target country, it is allways a solution to not have data too sensitive with you. You can then cave in and open the encryption if they find the encrypted/hidden/stegoed/whatever data. Of course thay may still believe you were the test run for dangerous data smuggeling and keep you. Best to not go to such countries with something to hide in the first place. Incidentially that is whay less and less people want to travel to the US.
Giving the password to a trusted person doesn't change the problem, you have a mean to obtain the key, it's your obligation to get it, not theirs.
If you explicitely told that trusted person to not reveal you your own password before a certain "event" (i.e: posting a message on a certain board, in which case you have the "key" again) you could be certain you'll not get past the border, and could possibly be viewed as a way to thwart legal searches (which I think is a felony in some countries).
Then I suppose they can retain you or your laptop until you give them the password and maybe, even get you in court to force you to get the key back.
@Alex: "part 53 (4) (a) "
IANAL and I not from the UK but part 53 subsection (2) seems to deal with the four conditions that must all be met for the government to require someone to disclose their key. Pay close attention to the consequent of 53 (2):
"the person with that permission may, by notice to the person whom he believes to have possession of the key, impose a disclosure requirement in respect of the protected information."
"person with permission" seems to be some government agent.
"Impose a disclosure requirement" is the tool this law empowers government agents to use to require people to give up their keys.
But government agents are only allowed to use their disclosure tool on "the person whom he believes to have possession of the key." So if you have followed the list then you will not be in possession of the key as you pass through customs and so you cannot be compelled to disclose it in customs. It also sounds like once you have taken possession of the key after you are through customs you can be compelled to disclose it.
It also sounds like once you have taken possession of the key after you are through customs you can be compelled to disclose it.
I am also not a lawyer. But it sounds like the solution to that is fairly simple, although annoying....
1. If the authorities have stated you must give them the key when you get it, then simply don't get the key. You don't have, you're not required to give them what you don't have. This also means you effectively have a brick that's shaped like a computer. Just another cost of doing business.
2. If you fear that the authorities will ask you for your key at some point in the future while you're still in the country, but you're currently not under the obligation to give them the key immediately upon receipt, then call your friend and boot your computer typing in the key during the boot process. Don't bother to recreate your easy to remember account and most certaintly don't write down the key. Use the computer and when you're done, do a shutdown. Every time you boot while in the potentially hostile country, you need to call your friend to get the key. I hope your friend is a close one, since this would be more than a tad annoying...
"My solution is to use OS X's user directory"
Reminded me of colon files on NTFS
When Apple designed their file system they alowed for files to be grouped under a single name and icon (the reason is both unimportant and dull).
However MS did their own version of this under NTFS.
Now the old grey cells have whiskers on them these days but if I remember correctly you could say,
To create a file and
To create a shadow file which does not show up in the directory.
Now being a beliver in telling the truth just as much as I can (even when lying it saves a lot of hassle remembering fake things ;) I prefer plausable deniability over encryption and such like.
Shadow files is something that is so arkane you could put them in the registry tree structure and they probably would not draw attention to anybody but the most knowlegable of people especialy if you used MS's rot13 spec.
Interesting that you would reveal in a public forum your intent and methodology. Rat bastard gov't agents never read this stuff. Idiots.
We take now our throw away computer to the airport, you know electronic trash or even a monitor.
If the TSA agent tells you he has to destroy this, we nod cheerfully.
Also put always a bag with shit in your luggage - so much fun.
We can now rent computers everywhere and work with encrypted application through a web connection whenever necessary. Why bother and carry heavy machines.
Don't take you fancy I-phone on a plane the TSA people might steal it - buy a disposable phone.
Here's a solution, take out the drive out of your laptop and replace it with a clean install of Windows with nothing on it, keep the other drive hidden. Problem solved, customs doesn't even bother to search external drives. They'll turn on your laptop and see there's nothing on it and let you go. Of course encrypt your external drive as well (keep it hidden as well). Then when you need it, replace drive in laptop and you're good to go again.
Or you can fedex/ups/dhl your drive to yourself, to the location you're going to stay, same deal.
I always thought that a good feature that Truecrypt should add to their bootloader is that if the computer is started without a certain key held down, it simply blue-screens. Fairly easy to make the claim that something is broken with it.
Why would you risk all this just to save some storage and bandwidth charges and a few minutes of download time and a bit of work time on the plane?
I forgot to mention. My method is also created with one further requirement. The court orders I have to deal with do not allow the confidential documents to exist on a networked machine. No VPN, FTP, etc. for me.
"bootloader is that if the computer is started without a certain key held down, it simply blue-screens. Fairly easy to make the claim that something is broken with it."
Not a good idea.
I'll explain why because it is important that people realise that technical solutions that are not explicitly part of the native OS instalation are an admission of guilt as far as Governmet Security Personel and often the Courts are concerned.
What you need to do is forget the logic of technical arguments that's "left brain" thinking most people (about 80%) are "right brain" thinkers, and work on emotional communications and hind/monkey brain responses. If you do somthing technicaly clever, to them it is akin to magic which is sinister (yup it means left handed) thinking. They will immediatly treat it and you with deep suscpicion and forget your "inocent untill proven guilty" it's mob rule / herd mentality thinking you are dealing with. This not the adroit (means right) way of going about it, infact it is very gouch (means left) and cack handed (also means left handed). Less than two hundred years ago we where still having Witch trials (welcome to the historical town of Salem) our current "war on terror" has simply awakened this primitive fear of the unknown and shattered that thin and brittle venear of "justice" from society.
If you are lucky enough to get as far as a court you will be faced with accusations of being a terrorist or peodophile or both or worse simply because you are trying to protect your rights.
This is against burecrats who are not just herd mentality right brain thinkers they are also usually under the paternalistic alusion that they and only they know what is right for society, and therfore any chalenge to their authority is actually terrorism. They also invariably have political positions to defend and you are trying to make them look stupid, you must therefor be eliminated at all costs.
You might not like the picture I have painted above but you can by examining the actions of various government personel etc see it's brush strokes.
Now the safest thing to do is not just appear inocent but be inocent and not carry anything that can be searched.
If you need to carry something that can be searched then again be inocent and ensure there is nothing on nor has there ever been anything (due to flash memory problems) on those devices.
If you must carry stuff on your devices that is sensitive then hide it in plain sight and have plausable deniability, that is use only what is available to you from the instalation of the OS or other wellknown and apparently inocent software such as Norton Utilities MS Office or MS Network administration packages. Ensure that the organisation you work for has very clear well defined rules for carrying sensitive or confidential information and ensure you have an email or memo from your boss reminding you of just how important to the companies latest R&D / Marketing / etc it is. Not just on the machine but printed out in the papers in you brief case, have scribled on it little note about need to speak to XXXX (a senior tech suport bod) about this also the numbers and names of the legal/compliance and other officers written down on it.
Also it helps to have "step by step" notes about how to apparently undo it on a postit note stuck "accidently" on the back of another document you are after all an "inocent" acting on instructions from your company which are "new and unknown" to you and you are "technicaly barely literate" and "do not have a clue" as to what it is all about.
Remember shat US Compliance laws are your friend in these circumstances and as they are a requirment not just for US entities but entities seeking to do business with US entities then compliance to them by "best practice" is to be expected. The fact that you organisation have gone slightly overboard on trying to comply is to be commended as is the fact that you are following the rules of your employment as best you can.
Finaly if you must carry illegal or moraly questionable data as far as the authorities of the country you are going to of whatever form in or out of the country (I'm assuming that you might be a journo or human rights bod) then by all means use some of the covert methods described by others, but alway always remember that you are going to have to have suitable "cover" at many levels so again hide stuff in plain sight or in a belivable manner.
That is keep the amount of data as small as possible in as simple a format as possible, so that it will zip up to a small file. Then use a mind numingly simple long pass phrase XOR encryption to obsficate it from simple automatic search and then use stego (you can download off the internet) to hide it in "confidential business documents" that your boss has just given you as the "latest confidential quote/etc version" to be given to the customer. And ensure it has the right metadata (file dates etc) and been put through the previous "compliance" process. Make sure that you do have a business meeting etc setup and again have it printed out with contact details etc. If your data does get found and unraveled you are simply just an inocent who others are using as a "mule"
But remember one important fact - all hidden data has a foot print, not just currently but in earlier forms, and most OS's spray these footprints as fragments and odd structure around a file system. It is these tiny little footprints that give the game away as does your odd "hinky" behaviour (if you look guilty or shifty to a right brain thinker then you are...). Left brain thinkers always look odd or "geeky" simply because they have the low level traits of ASD, technicaly adept people are usually left brain thinkers so take that into account if you have to have a cover story (engineers and accountants can usually be spotted at 100 paces simply by the way they dress behave and carry themselves)
Remember Bruce has a very acceptable cover story he is a well known and well recognised security consultant AES and SHA3 entrant with a business that deals with the illegal activities of others. Therfore it is not unexpected that he will have very very large amounts of highly confidential if not legaly privalaged possibly "illegal" information on his system that he may be forensicaly examining for a confidential client or as reasurch material as a security journo and author. Conceviably he could actually be testing the security procedures in place...
Although not quite as good as Diplomatic Immunity it gets very close.
The rest of us are nowhere near as in such a fortunate position so we need to temper what we do within our capabilities.
Just one thing to remember,
In the human condition there is no such thing as truth or falsehood just perception and delusion.
You can with a little thought lie by telling the truth it's what a good con artist etc does. You use selected truth to shift the other persons perception and thereby make them effectivly delusional.
Likewise you can give the air of innocence by answering a question with a question such as,
Alice : Bob did you take my lunch?
Bob : Alice you know I have my own lunch what on earth makes you think I would want your lunch? (Small reflective pause) Is there anybody who has forgoten theirs or might have mistaken yours for theirs?
Bob is radiating inocence and helpfulness to Alice who is likley to delude herself that he has told her he has not taken her lunch...
If an independent third part reviews what you have said as a transcript etc there is nothing their but the truth, each statment (actually question) stands and it is only the agrigate that lies.
It is like elegance, a person dresses in a particular way and uses appropriate accessories etc. No one item is in it's self elegant or not elegant, likewise all the items in agrigate can be elegant or not simply by the way you arange and present them.
As the late Douglas Adams so elegantly put it
"Time is an illusion, lunch time doubly so".
Steganography is definitely the way to go. I don't trust the cloud; Murphy clearly states that it will go away just when you need it most. Anything that tells the screener you're encrypting data is instant trouble. Therefore commercial products such as TruCrypt, even though they keep the existence of an inner hidden (and encrypted) drive uncertain, don't fit the bill, as they invite scrutiny and a pissing match ("We know you've got another hidden volume in there. Give us the key or we'll make you sorry, and we'll STILL get the key.").
The best bet would be to use an obscure program that the guards would be unlikely to have on their list.
As for not lying, I would suggest that it is perfectly moral to lie to thugs who are intent upon intruding into your personal life.
@ I don't consent
What you've done is effectively create a shared-key system. They can't decrypt without your key, and you can't decrypt without theirs. You have to cooperate to get the data.
The simple version of my earlier post: setup encrypted linux next to vista (we all pay the microsoft tax on laptops). On the plane you can work in your encrypted linux. When you are about to land, change the grub menu to boot vista default and set timeout to 0, thus skipping the whole grub screen. This way you can show customs a functional vista system without anything as obviously evil as truecrypt even installed on vista. And when they ask if you have any encrypted stuf: Say that you have to give a password to view msn logs, is that what they are talking about?
"The oft-forgotten security factor (like what-you-know, what-you-have, who-you-are) is where-you-are. You could have a device, or your computer if it contains a GPS system, that won't unlock unless it's in a certain location."
That really makes no sense. There several different things you could be thinking, none of which make any sense.
For example, you might be thinking that the location could be kept secret and so nobody would know where to take it to unlock it. But in that case, it's just a password. You don't need a GPS to have a password.
Or you might be thinking that they might know the location but, say, Dutch authorities won't go to the trouble of going to, say, your house in the United States. But they don't actually have to go there. They simply have to intercept the output of your GPS device and replace the signal with the coordinates of the house.
Or you might be thinking there might be some kind of tamperproof vault that unlocks only from an off-the-air GPS signal. But an off-the-air GPS signal can also be fairly easily faked -- in fact, I used equipment to do just that many years ago to Y2K and GPS week rollover qualify various GPS devices. Also, at the point, a simple security token is just as good a tamperproof way to hold a key.
The fundamental flaw though, is this -- all the GPS device can do is basically say yes or no. The device the GPS talks to has to be able to let you in when it gets a "yes" signal. So the capability to breach your security has to already be there, making this scheme a non-starter unless the location is a secret, in which case it's just a password.
I have to say, there are some remarkably naïve views being expressed here.
The people checking your laptop on the way into a country are not "border guards". Border guards are a military or paramilitary force designed to stop hostile forces sneaking across your frontiers. The closest you to have to that in the US are the Texas Rangers. We are also not talking about security screeners, such as (in the US) the TSA, who check you on the way out (mainly to make sure you aren't going to hijack or blow up a plane.) The people checking your laptop on the way in are Customs officers.
The precise powers, training and wages of Customs officers of course vary considerably from place to place but in general they have much better training, much greater legal powers, and much higher pay than security screeners. They have all this largely, although not entirely, because they spend every day on the job contending with an opponent who is much more resourceful, much more practised, much more ruthless, and frankly much better funded, than anyone on this blog: the drug syndicates.
I am personally acquainted with a former Customs officer from my own country (not the US.) At uni he did classical history, Latin and languages -- was able to speak several of the most common languages coming through that terminal. Being a right-brain kind of guy he was quite good at speaking in such a way it put innocent people at ease whilst upsetting those who were hiding something, but he was no computer whiz -- although he was passably familiar with Linux and had done a little PHP. The computer gurus were down the hall in the support centre, along with the expert document examiners, mass spectrometers, x-ray crystallography equipment, electron microscopes and so forth (actually I can't recall the exact list of analytical equipment, but it was impressive.)
Many of the tricks suggested on this blog so far would:
a) have a fair chance of being detected, lets say 15% for the sake of argument;
b) if detected, it is a practical certainty that within minutes they will work out exactly what you did;
c) at that point, it is quite likely that you will have already singled yourself out for a thorough physical search, which is unpleasant, and *will* discover your hidden SD card. Whether or not that occurs, if you do not choose to play ball at that point (i.e. reveal the contents of your laptop), there is a significant likelihood that at a minimum, your visa will be cancelled, your passport marked with derogatory information, and you will be immediately deported at your own expense. The laptop may or may not be seized as evidence.
d) If you lied to the Customs officers earlier in the process, in some countries that is sufficient for an immediate criminal charge.
As Columbo put it, they'll beat you at this game not because they're necessarily smarter than you, but because they do this for living, and you're an amateur.
Then there's option B: just don't take highly sensitive information across international borders in your laptop.
We wrote a very clear company policy on it and put it on our intranet. My understand is that US border guards cannot compel you to produce the key.
Laptops must be protected with passwords. All sensitive information on laptops should be encrypted via a robust mechanism.
Do not allow unauthorized persons to access, use or borrow your laptop. Do not provide passwords or decryption keys to third parties.
Travel creates a high risk of theft for laptop users. Foreign travels adds the risk of laptop seizure by government officials when crossing a border. Where possible, do not carry confidential business material on laptops while traveling, especially when traveling overseas. If the laptop is seized or stolen, you should be able to clearly demonstrate that none of the data will be compromised by a third party. Our corporate policy is not to permit any third party (including government officials) access to a company laptop unless a valid search warrant is presented from a US court with jurisdiction. Refer all such requests to company legal counsel.
@Logic: My understanding is that US border guards cannot compel you to produce the key.
I think you are really naive about what US borders guards - any the myriad of 3 letter services - are ready to do with you without warrant or – for that matter- any king of legal supervision. They just have to use the word "terrorist" and they can pretty much send you to Guantanamo or even worse have you tortured in some "friendly" country. In this day and age I would really avoid entering the US border with anything that might remotely look suspicious... You might be a little more lucky if you are an US national but even that is no anymore a sure pass.
1. Your main OS that boots without any passwords is a shell designed to be seen by customs officials. There is nothing interesting of note.
2. Use TrueCrypt to protect all of the data you want to protect, posing as one or more unplayable movie files.
--uh oh, alert customs official asks you about hidden data--the law compels you to answer honestly--
3. You have used TrueCrypt to configure a duress password that opens up a believable yet utterly innocuous bunch of documents. (Note - do not make duress password insulting to border guard, and make it fairly crackable. Remember, you would not mind being perceived as being somewhat of a dolt by Border Guard.)
4. You do not know your real TrueCrypt password. You generated it randomly, steganographically encoded it into one (or more) of a bunch of fun pictures of your Big Trip Abroad, and sent those pictures (via SSH, say) to your spouse / lawyer / priest / etc to show them what a great time you're having in Oppressive Regime-land, destroying the randomly generated key shortly thereafter. (Note - do not steganographically hide the key in innappropriate pictures of children, especially if you decide to take these images with you through security instead of sending via email. This is what is generally referred to in the security industry as A Bad Move. :-] If you do take pics with key steganographically hidden thru security, leave these images on the card in your camera, do not transfer to computer.)
5. Get to the other side, ask the privileged party to send the images back to you (or obtain the needed images from the innocent-looking image(s) in your camera), you extract your key, decrypt your sensitive content.
This is maximum protection possible. It hides the fact that you're hiding information from the officials. If they figure it out, it provides them a satisfying experience of forcing you to decrypt something and show them the resulting innocuous data (using the duress password, of course). If they somehow know to persist beyond that, then Schneier's approach in the article kicks in--you don't have the info necessary to decrypt the truly sensitive data, so you can honestly say so...with one extra benefit, though: the privileged party you sent the images to don't know which images contain the key (or even *that* one or more of them contain a key) and may honestly say they don't know where it is, how to obtain it, or if they even have it.
@jeff: "don't bring illegal data"
This may look sensibly; but the scary part is this:
1. You may not know what's illegal in your country of destination. Things perfectly legal in your country (audio/video recorded from publicly broadcasting media or backup copies of software in some countries are legal) or presumably innocent (like a family photo of your not-properly-dressed kids playing in the pool in your backyard) may land you in serious trouble if you happen to travel to a wrong destination and your device got searched. Use, or even mere posession of some kinds of software (of which you may even not know that have some "illegal" functionality) may also be a real pain.
2. Even if you took large efforts to learn the laws of the place you're going to travel to, how could you make sure that no tiny bit of information on your hard drive appears "illegal"? Are you sure you've securely deleted all such information? Are you sure parts of such information do not lie in all obscure places your OS of choice might have put them into?
Nothing short of securily wiping all the drives and installing a fresh OS would withstand thorough investigation if you were unlucky to be singled out. And even if you install fresh OS, be sure to shove in appropriate quantity of "innocent" files, cookies, browser history, audit logs, shreds of old files in the free space etc. Having crystal-clean laptop makes you suspicious as well.
Or better don't bring a laptop if you can help it or afford buying/renting one at your destination. If you travel for leisure, it may even be healthy to have a break from all this computer stuff :-)
If you are an employee forced to take a laptop with you just play dumb and point to your company's policy nicely printed with Big Bosses' signatures on it. If the picky officer sends you home you're not going to loose *your* money anyway... the company would have to bite it.
If you are the company (self-employed), just refuse doing business over the problematic borders in person - or else try keeping your rates high enough to cover seizures of your equipment and data, cancelled hotel/conference bookings, overpriced return travel tickets, and - last but not least - any inconveniences that you may experience personally.
The funniest thing about all this customs searches for "illegal bits" is that they attempt to prevent what is several orders of magnitude cheaper and a lot way easier to do in other ways. Security theater indeed; or do they trust their Carnivore/Echelon/whatever systems so completely?
>Less than two hundred years ago we
>where still having Witch trials (welcome
>to the historical town of Salem)
Over three hundred. They were so 17th Century, at least in the case of Salem.
>The closest you to have to that in the
>US are the Texas Rangers
Not in well over a century, with a lineage break between the paramilitary Rangers and today's, which is effectively the detective division of the Texas state police.
The U.S. Coast Guard would be the closest analogy to a border guard as a military service albeit normally under a civilian agency and the closest we have to a gendarme force. The U.S. Border Patrol would be next, but they are a civilian police and not gendarme force.
>The funniest thing about all this
>customs searches for "illegal bits" is
>that they attempt to prevent what is
>several orders of magnitude cheaper
>and a lot way easier to do in other
Give that man a cigar :)
While I enjoy in engaging the mental game of thinking through different scenarios, if you're going to willfully move prohibited items across the border, you'll use broadband and encryption to do it. Short of leaving a very short list of countries, say Myanmar, that's going to be an option.
However many (most?) countries allow the use of cryptography only if the user can give access to data to the authorities. Thus this method would make the use of cryptography unlawful in those countries.
This said, as many people suggested, the best protection is to keep a low profile ... unless you are already on their list. And the latter is probably true if you consider the information you transport is interesting enough to government agencies.
Then you would probably do better in investing in means to keep your data stored in a safe heaven.
the whole purpose of border security check is to make it difficult for you. Now since its 100% sure that you will not be able to decrypt it even if they ask you to, allows them to succeed in what they want - to deny you entry or impound your laptop.
Imagine their reaction when i take a print out this article and show it to them. they will definitely think i am trying to act smart and i will be in a lot of trouble.
Step 7: Tell your trusted associate to dispose of the key if you do not contact them within N hours.
If the key no longer exists, then everyone can truthfully say that the image can no longer be easily decrypted.
All this may work, but it seems like more hassle than it is worth. If I wanted to move data that my country's government might not approve across a border, I'd simply get an account on a tolerant ISP somewhere, then PGP-encrypt the goodies and e-mail them to myself there before crossing the border. As long as the laptop does not contain the private key or a log of where I've sent e-mail, it shouldn't matter what customs does to the laptop, including confiscate it.
Better still is to rent a laptop locally, and not try to move hardware across the border at all.
I admit I'm neither a cryptologist nor a lawyer, but I have to say this seems like really lousy advice. In a situation with customs officials and national governments against some smartass getting in their face, who do you think is going to win? How can pulling a stunt like this for the sake of using your laptop on the plane possibly be worth the risk of being detained or incarcerated? Wouldn't it be more prudent to do everything possible to keep yourself off their radar? In how many countries have you tried this and how often did it work? Will you help publicize the letter writing campaign on behalf of Amnesty International if someone follows your advice and it ends badly?
There is much better approach to this matter, and far less complicated. There is software (eg. TrueCrypt) which will allow having hidden encrypted partitions on already encrypted drive. The result is that you can have a special password which will boot in 'clean' and unsuspecting operating system, while your real partition with your important data remains hidden. This way a person who forced you to type in password will not suspect of anything. And even if the hard drive is taken to analysis, it is not possible to discover the hidden partition amongst the encrypted data.
You recommend that you should not mail the random key to yourself, so that you can plausibly deny that you can decrypt. I understand that you have to follow every cooperation request of a customs officer. But - if that request is to transfer additional data across an international border - do you think you have to follow that request? I mean, looging in at home or to yout web mail basically means that you transfer the key across a border...
Has anyone concidered removing the hard drive and storing it somewhere else, perhaps in luggage?
Not sure if it's been mentioned but here's a very simple method to get through customs with a laptop.
Make 3 partitions (more if needed). One swap, 2 system. Install Ubuntu or Debian on one with full encryption (don't encrypt swap unless you make another unencrypted swap). Install Ubuntu or Debian on the other partition without encryption.
Make the unencrypted install look like it's been used. Put stuff on it, customize it, etc.
Then when asked to search your laptop, boot into the unencrypted one and let them search.
Another method, make a Truecrypt volume. Put legit looking stuff in it. Make hidden volume. Then "hide" the outer volume somewhere. On Windows maybe name it similar to some system file that not many people know about, then "hide" it so it doesn't show through casual searching. On Linux, also name it something good and put a dot in front of the name.
The first method is a little more involved but if done right should work every time (don't forget to change grub so it doesn't look suspicious). The second method would also likely work. With the second method.. IF the volume is found, decrypt the outer volume and show them the legit looking stuff. If they ask if there's a hidden volume, just say no. They can't prove there's a hidden volume. Just make sure the outer volume contains stuff that really does look like stuff you would want to hide but not anything that could get you in trouble.
After reading through all of this thread one thing is clear. All of you are brilliant and very devious. Given the number of mechanisms discussed in this thread I question the entire purpose behind the US customs agents desire to image a drive and send it back to you in a couple of weeks.
Would a true “bad guy” (not a stupid one) get caught with data out in the open? Not in a million years. Would his computer boot up for an agent? Of course it would. Would a search by a border guard turn up anything deceptive at the border? Not in ten million years.
Knowing all of these things the real question is why would they bother?
"Knowing all of these things the real question is why would they bother?"
Well a couple of things spring to mind...
1, Perhaps they may use it as an oportunity to put something on the laptop in say the flash bios.
2, They might also do MS a service by checking for "illegal software".
Oh and a whole bunch of other things you would not want happening behind your back.
I dont understand why a computer security expert would resort to this lousy form of protection, if Rubberhose which exists for a long while now provides protection with DENIABILITY.
Of course if the governments incentive is high enough they will blackmail you / the trusted individual to release the key. This is bringing your trustees in danger. Get with it and admit at least *something* Assange created was truly genious. I respect his work on Rubberhose far more than his work on Wikileaks.
For me, the data I have is mine even in front of the law and I'm willing to go up against anything just on a matter of principle - not doing so would be like encouraging mandatory colonoscopy at borders in the future!
My thing is simple, I use a password with a keyfile, the password I know and the keyfile I don't have with me when I'm leaving the country. It sits on a server at work and after 1-12 hours (depending when I'm expecting to get at my destination plus a few hours) it's getting securely deleted.
Also I can delete it when accessing the app from the server by introducing a special password instead of the correct one. After the preset time has passed I can't recover the data on my laptop and nobody can, no matter what the value of that data is.
I back up my data everytime I leave from home to an encrypted location, that's entirely my business and stays under the laws of my country!
The worst thing that can happen with the data is me not being able to access it until I get back in my country to recover my backups.
What I aim for is for the worst case scenario about the data is to be lost even to me while I am under the law jurisdiction of another country! If they'll ever take my laptop I wouldn't have it back for use anyway, I'd sell it for another one!
This never happened to me, but if they ever decide at customs based on this computer thing to deny my entry in that country, they're probably doing me a favor - I wouldn't want to be there anyway! Usually the questions stop when I boot up my computer and they see the auth mesage "Operating System not found. Press any key to continue..." I don't even have to lie, they conclude by themselves that it's broken :)
The government provides many services and laws to protect everyone. If they feel a need to look at my data, I'm not worried about it because most of my data is related to family and work -- I certainly don't like the intrusive nature of it, but I also know that resisting is probably not going to end well and to me it's just not worth it to go to jail or end up with a criminal record.
My main reason for using encryption is to protect my privacy by keeping my data out of the hands of thieves who steal laptops. If the authorities want to see what I'm doing, I may ask "why" depending on the context (aeroports are one such context where I won't ask because the reason is abundantly clear, as per my final paragraph hereunder), and in the end it will be easier to just cooperate without resisting.
I don't travel much, and the last time I took a vacation that required traveling by aeroplane a customs officer asked me to power up my laptop. I powered it up, entered the password, and then when she saw the "Operating System loading" screen she waved me on through the metal detector and all was well. If they somehow find the time to examine the files on my laptop, I don't really care because they're only going to find children's games, family pictures and movies, and a bunch of work-related stuff, which I imagine will not be of any interest to them -- I still won't like it, just like I wouldn't like it if they arrived at my door with a search warrant for my home, but there's really not much I can do about it (if they accidentally damage something, I'll certainly take it up with them afterwards as timing is critical, but that's a different matter entirely).
I'm surprised that so many people these days seem intent on resisting authorities who are actually there to protect us (that's partly what we pay taxes for). It's a shame that there has to be so much paranoia at aeroports now since 2001, and it's a great inconvenience (I wish there was a better way), but I really do like the idea of arriving safely at my destination without the aeroplane I'm on getting blown up in mid-air or crashing into a building.
Those awful people known as the shoe bomber and the underwear bomber only made things worse, and I feel that despite the huge invasive inconvenience at aeroports, many people have wrongly identified the enemies as the authorities. But really, it's those who have no regard for our lives and seem intent on using us as pawns in some global chess game to make an extreme statement (e.g., they see us as infidels which offends them for religious reasons, it's their way of protesting trade embargoes, racism, etc.).
Add another option:
Leave unpartitioned space.
copy encrypted file somewhere on the unpartitioned space. (dd directly starting at a free cylinder on the hdd)
secure delete the file & clean command history.
TSA: "Do you ..."
3) After customs
dd back the file from unpartitioned space and use.
Your hard disk gets copied.
A heuristic for known encrypted file formats is run against unpartitioned space and finds it.
You go to jail for lying.
Anyway, purpose of hiding stuff is mostly moot.
- Why take personal stuff when they're safe at home.
- Why take corporate stuff when you can be held liable for them?
TSA probably does this for:
- Possible laptop bombs - http://xkcd.com/651/
- Possible military/corporate secrets getting out of the country. (nuke secrets to iran?)
- deterrent for piracy - will anyone take with them pirated stuff?
For amusement value, I've been trying to think of a way of placing the key such that anyone retrieving it without your approval would be forced to commit a crime either in their or another jurisdiction in order to retrieve it.
Maybe you could steganographically hide the key in a file on an overseas server that for some reason (copyright? obscenity?) they could not legally transfer from that server to retrieve the key. That would mean that the key would have to be retrieved from the file in-situ. With suitable computer misuse legislation in the server's home country, and suitably tight usage authorization from the server's owner, anyone retrieving the key would be committing a criminal offence in one or other country.
It should slow them down, at least.
Anyone who actually wants to transfer contraband data of any kind across a border can simply use the Internet. Stopping that threat model is not technically impossible, but it would mean no more "live" (real time) connections of any kind across the border, and some kind of (probably automated) inspection of every packet going through -- a level of control that not even China has tried to implement (and which, I hope, would lead to a level of protest approaching civil unrest in any country that did try it).
I bring up the above as a "reductio ad absurdum": unless and until our country does attempt that level of control over the Internet, it is both stupid and futile to search laptops at the border at all. In fact, it makes even less sense than the TSA's searches at airports. But like those, the searches are not going to stop on their own, because of the Iron Law: every bureaucracy's Job 1 is to maintain its existence by any means possible.
The only way that either these searches or the TSA are going to go away is if we relentlessly mock and ridicule them, and the politicians that maintain them, until they do. Let's go to it.
I assume that MS BitLocker has some kind of backdoor available to FBI and NSA. Who would know? On the other hand, the full source code of TrueCrypt is available (one of the strongest arguments for "open source" software), and you can always read it yourself and rebuild from trusted source. This assumes you are good enough at C to detect a subtle backdoor. Much safer than assuming BitLocker has none (do you really thing MS would resist adding a backdoor if asked?)
It's interesting to see how many comments there are along the lines of 'Well, I have nothing that sensitive so i'm just going to play along'. This is why we lose civil liberties. If a significant proportion of people going through customs would take a stand and encrypt their data this snooping on people's information - which previously, I might note, would have required Watergate-style break-ins - would quickly become unsustainable. The fact that even people reading this blog see this kind of thing as normal is incredibly disturbing.
Or just copy your MBR to a few flash drives and delete the MBR, then you will boot only when the flash drive is plugged in. IF customs tries to boot the system raise holy hell about them breaking your laptop.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.