Schneier on Security
A blog covering security and security technology.
« Collecting Expert Predictions about Terrorist Attacks |
| Apple Split-Key Patent »
January 11, 2012
Protecting Your Privacy at International Borders
The EFF has published a good guide.
My own advice is here and here.
Posted on January 11, 2012 at 7:15 AM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The simplest advice is take nothing with you across any border at any time except the minimum you require to get to your hotel etc.
You arange for anything else to be sent another way.
Two reasons for this,
1, You have nothing that you don't know about on you.
2, You don't have any devices on which malware etc can be added to your detriment.
Oh you also have less to be stolen/mislaid and nothing for the TSA et al to scratch the backs of their heads over...
Carrying a laptop into the U.S. of A. is carrying coals to Newcastle. Just take some money and buy a new one once in, cheaply. In fact, this is what many people from this side of the pond perform routinely as a secondary purpose of their trip.
Once you have it, download the data you need. Before leaving, securely erase it. After returning, keep it or sell it - with a profit usually.
For the purpose of secure deletion: do not buy SSD disks!
And all these recommendations fail if they are really after you. i.e. installing some hardware bug while your laptop gets searched.
So if you are paranoid taking no device with you seems the only solution.
They missed one trick in a sidebar. Dr. Akina doesn't need to 'securely wipe' the travel laptop, she just mails it back.
Given the fun and games involved with secure wiping and the triviality of simply FedExing it back (or, if it really is a worthless travel laptop, throwing it away) makes it pretty clear which I'd recommend.
Finally, doesn't this just blow the lid of a very serious problem?!
Given an information economy, isn't the idea that any information of value you bring over the border can and will be stolen outright anathematic to everyone except highwaymen??
PS - And yes, if you bring over a pile of cash (over $10,000), it too can and will be stolen from you, in the name of 'fighting drugs'. J.
I can dream, but I can suppose loading up your laptop with a bunch of lawfully purchased media files which is then taken from you and copied would expose the ICE, CPB, and DHS to monstrous copyright fines, or even get them unplugged from the Internet...
What a complete pain. And every precaution, every contingency described, begets more pain. How far we've come.
My MacBook has Lion's pre-boot filevault encryption on the small root partition, and TrueCrypt for the remaining large user partition with my home directories, so the entire disk is encrypted.
When I travel internationally, I make a full image copy of that drive, physically remove it, and then install a clean OS into the MacBook. If I need it, I then place the original encrypted drive into a small USB enclosure. It talks only a couple of minutes to open the MacBook, swap out the drive, and close it again.
Border officials can examine the MacBook as much as they want. If they also ask to see the drive in the USB enclosure in my coat pocket, which they have not so far, I can say that it was wiped and not formatted. When I place it into the mac, it shows up as an uninitialized disk, and a window pops up asking if they want to format it, which they can. They can even keep the external USB drive, since it is encrypted and I have it backed at home.
(My backups are also TrueCrypt encrypted.)
This might seem nuts, but I work in the semiconductor and banking industries and travel globally, and my laptop is full of trade secrets and security data.
I have had my laptops previously inspected in USA, Britain, Japan, and China. I don't see a need to hand over legal trade secrets and security data to corrupt officials without any just cause, if I want to keep my job.
Forgot to mention, that I have to use FileVault + TrueCrypt for full disk encryption, since TrueCrypt does not provide full disk encryption on the Mac yet. :(
And I don't trust that Apple Lion's closed source FileVault does not have some secret back door for officials.
They are missing something I pointed out a long time ago. It's hard to securely overwrite every storage location on a system. However, there is a way to do that without doing that: ensure it's strongly encrypted & simply loose the long, truly random key. This concept was independently discovered in an academic paper a few years back. I've voluntarily, and involunatirly :(, erased hundreds of GB worth of data using this method.
The deletion process is almost instant if digital & happens in seconds if the key is stored on paper (lighter or stove required). If a suitable algorithm & implementation is used, then the data will be truly unrecoverable. No, really, I tried my best undelete that stuff. ;)
... or just do what I have for the last 11 years. Don't travel to right-wing theocracies (Pakistan, USA, Iran etc.). Can't say I've missed anything.
@Lisa: "I can say that it was wiped and not formatted."
That would be lying to a federal officer, which, just FYI, is illegal.
@Slarty - or Canada, at least if you're a Bishop
And I don't trust that Apple Lion's closed source FileVault does not have some secret back door for officials
It might have but then again it might have bugs or even faux bugs that are realy backdoors.
That's the problem with complex security and software, you can easily drive yourself crazy trying to "verify and trust".
So the best thing is to assume that all software has bugs and is thus insecure (including products that claim EmSec level security), and you have to make the choice of how to mitigate accordingly.
The usual choice for low value data items is to chain various pieces of the security systems in sequence giving you the "onion layer" model. However on most OS's this has a fatal flaw which is the OS it's self, because it provides the link between all the pieces.
For higher value data items it used to be "use hardware" such as "Inline Media Encryptors" but as the US Gov and others have found the hardware is made outside of their control these days and could well be "Backdoored" by foreign nationals working for their governments...
Thus as I've said before on a number of occasions sometimes the best way to work is not to take high value data items with you across a border, nor the hardware&OS that can be "backdoored" as you go through.
There is however another option available which you are part way to with your external USB drive, but is not an option available to all. Which is "roll your own".
I've used a number of the more recent micro controlers with multiple USB ports to do this. You can buy the source to a RTOS that has multi tasking, and you can also buy the source to the USB and other stacks. You can also download for free very striped down RTOS's and limited schedulers from the net and USB stacks and software for flash drives etc. You can thus design and build your own "Inline Media Encryptor".
For those nervous about "flash memory" just remember provided the drive only has encrypted data on it as Nick P has pointed out if you lose the crypto key you go from "data brick" to "house brick" in one go.
There is also a further wiggle you can do (simplest with stream ciphers) which is to have the data in flash encrypted under one key, the inline hardware changes that to encrypted under the transmission key to be sent across the USB cable and the driver on the commodity computer changes that into decrypted plain text. Now the trick is to make the transmission key evolve with time and data usage such that any data a third party picks up off of the wire will be different every time.
You then pick a method of sending/agreeing the transmission key from the commodity computer driver to the inline encryptor. There are a number of well known and well described protocols for doing this.
Oh and finally just incase you think "rubber hose" analysis will be applied to you, as you presumably work for an international company you can use MofN key shares from different jurisdictions with agreed "duress codes".
But to be honest when it gets to this level you realy should consider not moving high value data items around, and changing the working practices to suit. Simply because it removes the risk to you and others, as a hostile agency that has targeted the company is almost certainly going to know what the internal company procedures are before they grab an individual "courier", it they know no data gets shifted by courier they will leave all the companies travlers alone.
Passwords, if written down, should be written on small slivers of paper, small enough to fit within a pill's capsule, yet durable enough to last unpacking and repacking.
Yes, they sell bags of empty pill capsules by the hundreds or thousands for cheap, look at your local health food store.
These "capsules" containing your password(s) can be mixed in with a medicine bottle and carried on your person.
Withdrawing a capsule from a medicine bottle and swallowing it casually but quickly draws less attention than attempting to force a huge wad of paper down your throat, or ripping them up into pieces and chewing them for good measure before gulping them down.
But if you're attacked by someone and they force you to vomit, you're screwed either way, unless you have a fast dissolving capsule and paper medium. Rice paper wouldn't tolerate much manhandling but there are other options.
The ultimate solution would be a V2K device for your own personal enjoyment, but that's in the military domain for now.
A Truecrypt volume placed on an mp3 player, disguised as a track of music could work, you could combine this with stego tech too for a fake audio track or a photo mixed in other photos of the same type.
And those are some tips for the border security. I'm sure you've seen everything and some really strange concealment methods, I'd love to hear amusing stories if anyone has them.
"For the purpose of secure deletion: do not buy SSD disks!"
There was an article from a forensic IT investigator last year in which he noted the way that aggressive firmware garbage collection in modern SSDs permanently removed deleted data without operator intervention.
He said he was shocked at how much information was overwritten for good after just 10 minutes of letting the SSD sit powered up, but otherwise inactive.
So maybe SSDs are one of the most secure storage options, by default?
"Oh and finally just incase you think "rubber hose" analysis will be applied to you, as you presumably work for an international company"
I would hope those working in "sensitive" fields would already be programmed in ways of dissociation. The net is full of information on this both in military and in government fields. Most Google searches will probably bring up conspiracy theories but read between the lines, there are some good articles on the subject.
The mind "splits" and no matter how much they torture you, the information stays within you. This is often found in people with MPD.
"If a border agent asks you to provide an account password or encryption passphrase or to decrypt data stored on your device, you don’t have to comply."
This may be true in the USA, but almost certainly, if you're passing through USA customs, you have or will pass through some other country's customs with the device, and their laws may differ.
"Carrying a laptop into the U.S. of A. is carrying coals to Newcastle. Just take some money and buy a new one once in, cheaply."
Fine if you're doing this for economic reasons, but if you're worried about security the first thing you're going to do to a new laptop is re-install from scratch to get rid of shovel-ware, or at the very least patch it. Either way, hours of fun...
"They missed one trick in a sidebar. Dr. Akina doesn't need to 'securely wipe' the travel laptop, she just mails it back."
And trust the courier?
The last time I send a PC via courier the insurance premiums implied they loose about one in 10 of them.
@Godel - it's mixed. Because SSD erases are slow and you can only write entire blocks modified data is copied onto any free space so the whole disk is quickly used.
But any bad blocks are flagged and ignored by any erase command - although they may be still readable with low level software
I think the big difference is the appropriate level of paranoia.
10 years ago you only worried about this stuff if you actually were a spy.
Today you should worry if you contribute to wikileaks or are a canadian bishop (*).
Or perhaps if you work for a foreign oil or aerospace company.
In a few years who is to say that laptops won't be routinely checked for Quickbooks files on behalf of the INS or the RIAA require checks for illegal MP3s?
Today an encrypted laptop - that you don't hand over the password for - will simply result in you losing the laptop. That's why the eff are promoting full encryption everywhere - so that impounding all encrypted laptops becomes as practical as stopping people taking dangerous phones, li-ion batteries or aircraft endangering kindles onboard.
* a bishop was arrested in canada for child porn on his laptop. Being a catholic priest who travelled abroad was reasonable suspicion to the mounties.
Seems to me encrypted usb drives are your friends. You can just keep it in your pocket and avoid having to refuse to decrypt your hard-drive. If they get to the point where they are searching you and find the USB thumbdrive, it seems to me they are already ruining your day and refusing to decrypt your drive isn't going to make things worst.
Last time I traveled to USA, I did this:
I copied the first MB of data of my luks encrypted drive to a server I own, and then wiped that part of the drive. Second I installed fresh system on a second partition changed the boot menu.
Now the system look like any normal computer with some spare space in it, and even if I gave them my password, the encrypted drive can not be decrypted thanks to the luks header missing. Most tools will even say that the spare unformated partition is zeroed. if anyone would press the issue, I could simply say I bought the computer that way.
When past the airport, it was a simple matter of copying the missing 1mb file.
@ The Conversation
"I would hope those working in "sensitive" fields would already be programmed in ways of dissociation."
The "cognitive dissociation" methods are now used as part of pain managment for those with chronic pain of various forms. As far as I can tell in the medical profession started this with people who have "Phantom Pain" due to amputation of a limb etc (giving fairly good evidence that some asspects of pain realy are all in your head).
It is now also taught as part of Cognitive Behavioral Therepy (CBT) to those who have severe pain and cannot for a host of reasons take the various forms of pain killer.
Over simplisticly one method teaches you to "wrap the pain" and either move it or yourself to one side of it so effectivly splitting the pain out of the self mental image. And I know from experiance this actually works but takes a lot of practice to be good at.
There are a couple of Doctors who have put the methods up on YouTube etc so you can practice with them.
When you look at them you can see some are based on CBT "distraction techniques" and others on either meditation or self hypnosis induction techniques.
And it is said in China they routienly perform operations in hospitals using hypnosis not anesthesia, and importantly the recovery rates are considerably better...
According to note 45, concealing a material fact in the truecrypt hidden partitions or in an encrypted volume whose password is not known to you seems to be a crime:
18 U.S.C. Â§ 1001 (2006) (it is a crime to willfully or knowingly "falsif[y], conceal, or cover up by any trick, scheme, or device a material fact" or make "any materially false, fictitious, or fraudulent statement or representation" to a federal agent).
That's why you have backups. Losing a laptop in the post isn't quite the same as having it taken from you at the border.
If nothing else, lost (or stolen) from the post doesn't require, or even ask, you to give up the encryption key.
All these devices we are worried about are made in china.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.