Laptop Seizures in Sudan

According to CNN:

Sudanese security forces have begun seizing laptop computers entering the country to check on the information stored on them as part of new security measures.

One state security source said the laptops are searched and returned in one day and that the procedure was introduced because pornographic films and photographs were entering Sudan.

U.N. officials, aid agency workers, businessmen and journalists who regularly visit Sudan worry the security of sensitive and confidential information such as medical, legal and financial records on their computers could be at risk.

Authorities have cracked down on organizations like Medecins Sans Frontieres, the International Rescue Committee who have published reports on huge numbers of rapes in the violent Darfur region.

(More commentary here.)

While the stated reason is pornography, anyone bringing a computer into the country should be concerned about personal information, writing that might be deemed political by the Sudanese authorities, confidential business information, and so on.

And this should be a concern regardless of the border you cross. Your privacy rights when trying to enter a country are minimal, and this kind of thing could happen anywhere. (I have heard anecdotal stories about Israel doing this, but don't have confirmation.)

If you're bringing a laptop across an international border, you should clean off all unnecessary files and encrypt the rest.

EDITED TO ADD (9/15): This is legal in the U.S.

EDITED TO ADD (9/30): More about the legality of this in the U.S.

Posted on September 13, 2006 at 6:44 AM • 54 Comments

Comments

Johannes BergSeptember 13, 2006 7:04 AM

Though what's stopping anyone from simply demanding to decrypt files (or if you don't denying you entry) if they find encrypted files?

Keeping them online could be a solution, but then you rely on network access...

FuzzySeptember 13, 2006 7:28 AM

You can carry your cryptographic keys on a small USB drive on your key ring (no pun intended), which will most likely be overlooked, but there's nothing preventing them from not letting you into the country if you don't unlock the drive, it's all a question of the sophistication of the person scanning your machine. You could archive and encrypt your "secret" files and then hide them as a regular file, like .exe or .dll for instance.
Better yet, use a VPN (or SSH) that connects to your home base, presumably out of country and assuming you have Internet access in places like the Sudan.
Even the guy who dropped his iPod into the airplane toilet had his machine thoroughly scanned for "porn" before he was allowed entry into the country, and recent changes to the criminal code in Canada make even possessing voyeuristic pornography a crime, whether you created it or not, i.e. you downloaded it from voyeur site. Visitors to Canada beware.

PaeniteoSeptember 13, 2006 7:31 AM

Well, if they deny you entry unless you decrypt all encrypted data you have to choose what is worth more for you:

Keeping the data confidential or entering the country.

Then act accordingly.

Erik V. OlsonSeptember 13, 2006 7:37 AM

>While the stated reason is pornography...

When the stated reason is pornography, they're lying.

>But how should I carry my (cryptographic) keys?

I certainly wouldn't go into Sudan with encrypted files, and I'm leery of taking keys anywhere if I don't absolutley need access to secure info in that place.

See, at customs, if they don't like the encrypted files, they tell you flat out that you will decrypt those files. If you say no, I'll take you to the back room and start beating you until you do.

Torture normally doesn't work, because the tortured will tell you anything to make the torture stop. But with crypto keys, you have an instant way to double check the info. So, when you break, they try the key. If it doesn't decrypt, it's back to the beatdown.

I'll note the disaster that is having your *public* key ring fall into the wrong hands -- a lovely bit of info for the bad guys, since presumably, you've communicated with those people secretly.

If I'm an evil government, I'm all for those opposing me using PGP, since rolling up the networks is easy. Compromise one opponent, get computer. Beat him until you get the secret key open. Arrest anyone who's public key is on the machine. Repeat.

Andre FucsSeptember 13, 2006 7:51 AM

Bruce,

I entered and left Israel few times (without Israeli citizenship) and no problem ever happened except for the random checks that I'm already use to.(they also happened on pre-9/11 USA).

One of my managers was once denied to board with his digital camera, but the country was on a high security alert on that time. The camera wasn't confiscated (if I'm not mistaken, it was just sent out of his reach).

In fact, Ben Gurion Airport Security is amazing and reasonably efficient. I'm always amazed with the "X-Ray" deployment over there.

A friend of mine told me once his experience asking for a US Visa in Brazil. He went to the US consulate and while passing screening was asked by the security guard what was the strange keyring he was carring, a SecureID. He try to explain what was it but the guard didn't understand and was concerned about the device. He them said. Ok, I will leave it in here with you. The guard simply said something like.

No no no. Take it with you, better explode away from me.

:-)

John RidleySeptember 13, 2006 7:53 AM

If you want to encrypt your data, don't do it on a normal file. Put it on an unpartitioned portion of your hard drive. Truecrypt can do this I think. You have a 40GB hard drive, you partition 35 of it (or whatever) as normal drives, install TrueCrypt, put some decoy files on the normal filesystem, and have it format the last bit of the hard drive as a hidden volume.

Truecrypt is designed to leave no signature. There's no way to prove that there's anything there but random bytes, even if they do have the sophistication to go in and realize that you have 5 GB of unpartitioned space at the end of your drive.

jayhSeptember 13, 2006 8:04 AM

Actually truecrypt allows for a second key in an encrypted drive which allocates space in the 'unused' sectors. Decrypting with the primary key reveals the primary data, with the existence of secondary data undetectable.

mdfSeptember 13, 2006 8:16 AM

"There's no way to prove that there's anything there but random bytes,"

Rooters (Takeitallm, Shakedownistan) -- Today the government of Shakedownistan unveiled its new anti-pornography, anti-terrorism, anti-drug and anti-pedophile customs policies.

Measures include the through examination of all digital information storage devices, including (but not limited to) laptop computers, USB flash drives, paper, etc.

"We need to save the children", stated the Minister for Contraband Resale, explaining that not only is blatant pornographic information to be seized and the possesser to be charged, but "We will deem, unknown, undecodable, or otherwise completely random data to be a violation of these laws. As Koffi Anan has stated, the State must firmly assert it's Monopoly on Plausible Deniability. Everything else is just chaos and madness, and a threat to the innocent children of our country."

When the Minister was informed that Anan was speaking about the "monopoly on the use of force", the Minister responded "Isn't that what I said? What's the difference?"

Tom DavisSeptember 13, 2006 8:29 AM

If I were a sovereign entity intent on controlling information coming into my domain, I think that I would create software to overwrite supposedly random data on a hard drive, including unpartitioned areas and the unused bytes at the end of a used block. That way, I could ask the laptop owners if they had any encrypted data, and if they said no, I'd tell them what I was about to do, and let the behavioral profiling begin.

In fact, I wouldn't really even need the ability to do randomize "random" bytes, just the belief that I had the ability.

Of course, I'd also check for supposedly executable files which didn't conform to executable file formats, and if I found those, that'd be evidence of encrypted files, and fraud for saying they weren't.

Steganography might be an option if the amount of data were small, but it would probably be better not to rely on physically (hard disk or USB keyring) moving the data across the border.

Mike SchiraldiSeptember 13, 2006 8:39 AM

I just bought a $31 2GB USB drive that's about 1mm thick and about the size of a postage stamp. Let's not even discuss the various places it could be hidden.

FullonSeptember 13, 2006 8:43 AM

Hmmm, what about full-disk encryption?

Since the entire disk is encrypted they wouldn't find anything, unless of course they were given the password to get into the system. Can't imagine anyone doing that.

In many companies I have worked with, the full disk encryption (preauth) password is synchronized with the Windows domain login (most full disk encryption vendors provide this feature). Also, in a lot of cases I have seen, the Windows domain login password is synchronized to the VPN gateway for VPN access to the corporate network. So, giving up the disk encryption password, essentially gives up the "keys to the kingdom", so to speak.

So, it would seem, anyone working for such a company (or that has similar practices for their personal/home computers and networks) likely wouldn't be allowed entry to this country.

DBHSeptember 13, 2006 8:49 AM

TrueCrypt offers a 'drive within a drive' feature which allows hiding an encrypted file. If these government yahoos want to prevent it, they just need to wipe blank spaces on encrypted drives after beating the key out of you.

These days people have MP3 files up the yazoo, maybe someone will find a way to hide files in MP3 data without too much degradation, sort of like audio steganography, and allow substantial amounts of data. Of course, you would have to have the recovery program on your disk, and that would raise suspiscion...

ChrisSeptember 13, 2006 9:12 AM

For the paranoid amongst us:

What's to stop the Sudanese government from modifying your harddrive while it's out of your possession? With physical access to the machine, it's a trivial matter to install a rootkit or keylogging software without your knowledge. Today's better rootkits cloak themselves well enough that you're unlikely to detect their presence without a forensic analysis of the drive.

The linked commentary suggest changing passwords before and after visiting the Sudan. Is this enough? Perhaps this should be extended to include a complete format and rebuild of the machine as well, just to be sure?

Also, I wonder how the whole-drive encryption available with Windows Vista will impact the current practices? Certainly, travelers can be made to give up login passwords so tools can be installed and run. This is hardly conducive to an assembly-line process to analyze all of the computers that enter the country on a daily basis, however. I expect the current process involves removal of the drive from the laptop and connection to some scanning device. An encrypted drive is much harder to copy and analyze later if the keys are stored in a TPM that's leaving with the laptop tomorrow. Or the week after that. Or the month after that. Or...

SteveSeptember 13, 2006 9:23 AM

Regarding customs officers threatening to delete hidden and/or encrypted data, I don't think anyone should be crossing a border carrying a laptop with data on it that they can't afford to be deleted.

So, to add to Bruce's advice something which should go without saying: If you're bringing a laptop across an international border, you should clean off all unnecessary files and encrypt *and backup* the rest.

The worst that can happen then is that you lose some essential data and you can't (for whatever reason) securely access your backup, so you've wasted your trip. Only you can decide whether the secrecy of your data is more important than the trip itself.

RoxanneSeptember 13, 2006 9:27 AM

The key question for me is: do you want the laptop itself, or the data that's on the laptop? I think that these are two separate questions: How to take the laptop into the foreign country, and how to take the data in.

If I need to use the laptop, strip it of all but the most basic info and let them inspect away. Download any data later over secure lines.

If I need the data, there are some amazing data storage devices out there today. As the individual commented above, I don't want to think about all of the places one could hide such an object. All you really need to do though is make it look like something innocuous. Me, I'd probably take along my son's gameboy, with a bunch of extra game cartridges. Finding the specially modified game is an exercise for the student.

The country's defense of writing over all apparently blank areas of the disk would be fine with me; the general defense for data discovery is annihilation of the data, after all. The country wants the data, not the laptop, although the security guard himself may want the laptop. If he keeps the laptop (without the data), and you keep your data, it's probably ultimately a win for you.

When communications devices become embedded in the individual (I suspect they're already in use), the security procedures will have to change again. How do you get the data when it's embedded in someone's skull? Or tooth? Or next to their kidneys? Yeah, it's going to be fun.

SteveSeptember 13, 2006 9:34 AM

> What's to stop the Sudanese government from modifying your harddrive while it's out of your possession?

Maybe a bootable CD-ROM which runs some kind of checksum over the hard disk (you having memorised or written down the expected value before you left). It would need to ignore anything likely to change simply as a result of the laptop being booted and used normally, or you'd get nothing but false positives.

Obviously that won't stop them doing it, but at least you'll know it has happened. Provided of course that the rootkit is placed on disk, not in the laptop's BIOS.

Presumably there's a state of the art in rootkit detection, I just don't know what it is. And you'd also have to check for hardware keyloggers inside the laptop, counterfeit network adaptors, hidden microphones, radio transmitters used to track you: all the regular spy stuff.

martinSeptember 13, 2006 9:41 AM

Also, where can I find substantive info on the pros, cons, security and implementation of FDE?

Abbas HalaiSeptember 13, 2006 10:26 AM

i've had the same issue entering the United States at least three times. "They've" made me login to my laptop and then told me to leave the room and wait outside. Not that I'm hiding anything, but it's still my data.

SecureSeptember 13, 2006 10:28 AM

@anyone mentioning the separation of the data from the laptop,

Yes, USB sticks are already large enough to keep all of my work-related data. Wait some years until they reach the capacities of todays hard drives, and the content industry will face a completely new kind of problem. Taking my whole media collection (video, music, pictures, books, comics, ...) always with me on my keyring, access it on any computer available, share it with my friends, and so on.

What would YOU do with 1 Terabyte on-a-stick that cost only a few $$?

anonSeptember 13, 2006 11:01 AM

@Abbas Halai : "i've had the same issue entering the United States at least three times"

If an Airbus worker put his laptop in his checked luggage when flying to US from France, then the luggage is systematically "delayed" for three of four days.

Kind of an Echelon effect.

Deleted FileSeptember 13, 2006 11:03 AM

Some good ideas posted above.
Here is my suggestion, including some other people's ideas given above:

1. Clean out all unnecessary data and the swap if running Windows.
2. Move all required data files to a password protected ZIP file on a FAT32 USB stick. Use really strong passord for the ZIP file.
3. Preferably, put some other innocuous data files on the memory stick.
4. Create some very large innocuous files to fill the laptop disk then delete those large files (to overwrite unused disk space).
5. Make a backup of the laptop.
6. Now plug in USB stick and delete the password protected ZIP file then immediately remove the USB stick.
7. When in airport, hide the stick as best you can.
8. If they find the stick, hopefully they won't find the deleted ZIP file.
9. If they do find the ZIP file, deny all knowledge of it ("someone in the office must have done that").
10. When you arrive, recover your password protected ZIP with a file undelete utility (ergh.. you do have one of those don't you?)

This would be a pain but should improve the odds of getting past security.
You could also try hiding the file as a deleted file on camera memory (they use FAT file system as well but it would be a bitch to explain if they found it).

GregSeptember 13, 2006 11:09 AM

When a NZ'er came back from a overseas trip from the middle east, his laptop was searched at the boarder (A NZ'er entering NZ). They found over 20 gig's of illegal porn and was prosecuted.

He claimed the images where to test a filtering program for schools. I personaly know him and without going OT this is probably true.

Anyway the point being that it happens in New Zealand sometimes.

jonSeptember 13, 2006 11:12 AM

And what is to stop them from putting something into your laptop/on your hardrive that you might not want? Powered RFID, GPS beacon, voice recorder. And even eassier to install new applications or files with information you should not have. People could be set up with incriminating materials for later arrest. People could become unwitting couriers. Your laptop could spy on you and your activities. No end of mischief.

But how many people will refuse to permit the search? What would it take for someone to decline the honor and pay for the next flight out? But perhaps that's just the behavior they're hoping to instill, so fewer people see what's there to be seen, make records of malfeasance, and can report on it with veracity and substantiation....

Does Homeland Security have this on tap yet?

Some DudeSeptember 13, 2006 11:13 AM

You could just put stuff on a tiny usb/memcard, Swallow, and latter poop. That won't show even on backscatter xrays...I think.

jonSeptember 13, 2006 11:13 AM

And what is to stop them from putting something into your laptop/on your hardrive that you might not want? Powered RFID, GPS beacon, voice recorder. And even eassier to install new applications or files with information you should not have. People could be set up with incriminating materials for later arrest. People could become unwitting couriers. Your laptop could spy on you and your activities. No end of mischief.

But how many people will refuse to permit the search? What would it take for someone to decline the honor and pay for the next flight out? But perhaps that's just the behavior they're hoping to instill, so fewer people see what's there to be seen, make records of malfeasance, and can report on it with veracity and substantiation....

Does Homeland Security have this on tap yet?

jammitSeptember 13, 2006 11:28 AM

What's to prevent the gub'mnt from taking your laptop, not finding anything, and then putting something on it just to make quota? My idea is to put two hard drives in the laptop. Most drives are small enough they can be stacked. Sure, only one drive would be hooked up at a time, but the one on top should hopefully hide the one below it. Maybe even put reversible damage on the lower drive. Deniable plausibility would be the new drive was too small, and the broken drive jimmied up the loose space. Make sure to beat the laptop with a chain to give it that weathered, old look. Always remember the three rules of computing. Backup, backup, and backup.

NoiseSeptember 13, 2006 12:48 PM

In these kinds of situations, what is the value of creating "channel noise".

In the case of images (could do something similar for data files), using a program, take some set of 1-2k JPG files, which could be pictues of your dog, a tree, etc. (or better yet, could be randomly generated JPG/DOC files of varying sizes), and fill up 20GB or so by creating 10 Million+ of these files, all with randomly unique, semi-suggestive, but non-incriminating names in a few million randomly unique, semi-suggestive, but non-incriminating directories.

Wouldn't anyone investigating the content of these files have to pretty much manually view each of these millions of files in order to rule out the possibility of "bad" images or "bad" content? If enough people had these "noise generators", the investigators would get so bogged down, they woldn't be able to reasonably process all the data. Kind of like creating false positives on an alarm system, so that eventually the alarm gets turned off.

derfSeptember 13, 2006 1:49 PM

Use steganography. You might not want to use pornographic images as your base, though.

If you have to give unsupervised control of your laptop to someone else, you have no plausible deniability. You're basically in the same position as Floyd Landis in the Tour De France - he's guilty because "they" say he's guilty.

kiwanoSeptember 13, 2006 3:06 PM

and by necessary, i take it that you mean a copy of scp that you can use to retrieve your data from your real computer, back at home, once you've crossed the border. also don't bring anything that could identify which computer you intend to log into (eg. a hostkey, or your ssh keyring); just memorize your password and host key fingerprint (if you haven't already) and have a dummy host ready to log into if they tell you to access your information over the internet for them.

GuillaumeSeptember 13, 2006 3:31 PM

This kind of thnigs was discuss not long ago on the interesting people list. This sort of things hapened to an american citizen crossing the Canada/USA border ...

Eric K.September 13, 2006 4:49 PM

A few ideas:

1. Two hard drives. The first one is clean, possibly a scrubbed disk and a clean install of your OS. The second contains your data as a TrueCrypt volume and during travel isn't even plugged in, so it doesn't appear in the list of storage devices

2. USB key containing a few innocuous files. The entire contents of one of them being the key for your TrueCrypt volume.

3. Primary and secondary keys as mentioned above, so if the second drive is discovered and you're forced to decrypt it, you can decrypt it with the primary key, revealing yet more clean data. Discrepancies in volume sizes can be explained away as overhead in the encryption process. Your sensitive data is then accessible with the secondary key, which should be a combination of two or more of the innocuous files on the USB stick.

4. Use the smallest, thinnest USB stick you can find, such as the ones that are no thinker than a standard PC board and don't even have a full USB connector, just four contacts that are crammed into the USB slot. A key this small could be hidden inside a luggage tag, particularly the thicker, plastic ones.

5. You could also use SD cards from digital cameras, and use image files as keys.

Set up properly, you'd appear to be a normal traveller with a digital camera and a few harmless pictures of your cat or something, carrying a laptop with one dead/unformatted hard drive and a fresh OS install.

JamesSeptember 13, 2006 7:05 PM

re: Unpartitioned space - truly unformatted space on hard disks is not going to be statistically random. Encrypted data will be.

You'd have to be able to plausibly claim that the drive was secondhand, and the previous owner had run a disk-scrubber (why would _you_ have anything to hide?)

Stefan WagnerSeptember 13, 2006 7:44 PM

I don't see much sense in hiding data on camera-devices, when pictures are the main interest.

Crypt and backup sensitive data.

Smuggling data might work or might not.
Perhaps Mr. Schneier should include some explicit fotos in his blog, to prevent sudanese authorities from visiting this site.

Aren't there international lists of things you might bring to a country, ordered by nation?
We need something similar for data and encryption.
I would like to know before travelling what I have to expect.

"Please login and leave the room" like Abbas Halai describes?
Well - that's putting the US on my personal 'no flight'-list.
And thanks for the sudo-joke on your site, Abbas.

juntaSeptember 13, 2006 11:25 PM

Here's an idea: don't take stuff into a country that is prohibited, and do check in advance. And be willing to part with anything the host wants from you.

This is not the same as "if you've got nothing to hide why are you worried".

Seriously, people like this aren't worth f*cking around with. Why not smuggle heroine from Afghanistan to the West, if you want to take these kinds of risks? You could make a lot more money and meet much more interesting people that way.

ABCSeptember 14, 2006 12:57 AM

If I was asked to enter my password and then leave the room, I would politely decline. You'd have to cause me some serious injury before I'd even consider it. Them having my login would give them access to confidential client data, and potentially access to my company's servers. Once they have my login, more than my laptop is at stake. As others have said, who knows what they're doing to it while you're not there. The worry isn't whether your data on there is safe; it's whether your future data will be as well. You don't screw around with customs, but if you're given the option to leave, you take that instead.

Couldn't you just set up a dummy login for situations like this? Use it frequently to browse innocently on the web, have a few non-sensitive documents lying around, etc. Set up a separate e-mail account for it; have friends forward you all kinds of jokes and videos. Forward jokes to them as well. If you're carrying business cards, make sure they have the fake e-mail address on them, not your real one. Make it look like it's your regular account. Also make sure it has practically no write priveleges to anywhere on the drive except its home folder and temp folders.

Your regular user account would have everything encrypted and located in your home folder, which other users do not have access to. Call your regular account 'admin' or something. If they ask you why they can't get at those folders, tell them you don't know. Maybe that's an account your IT department uses for maintenance.

You can use an entirely different user account as your steganography, as long as you have an explanation for it being there and you not having access to it.

Felix DzerzhinskySeptember 14, 2006 3:20 AM

I have just come back from six months in Sudan.

The internet there is filtered for pornographic information. I was surprised to find that political information, even that critical of the government, was easily accessed.

They have Sharia Law in the North of the Country. They arrested over three hundred people for 'immoral crimes' last year.

Regarding encrypting your hard drive if you belong to an International Organisation with diplomatic immunity you might get away with it. If you are with a regular NGO you can expect to be imprisoned as a spy.

Don't underestimate the technical capability of the government. I met a lot of guys there who had been educated in the US and Europe.

The Islamists beheaded a journalist there recently. They don't screw around.

I am glad to be out of there. Sharia sucks.

yitzSeptember 14, 2006 3:38 AM

i've brought my personal as well as business laptops in and out of israel many times.. (~6 times in just the last year) as have family members of mine (who aren't citizens, as opposed to me, who is) .. none of us have had our laptop contents searched. Sometimes I have been in airports where they have asked me to turn my laptop on to make sure it was functioning, but not in Israel. They just scan them in the x-ray machines.

SteveSeptember 14, 2006 4:26 AM

> don't take stuff into a country that is prohibited, and do check in advance.

Medecins Sans Frontieres publish reports on rapes and other illegal activity in the Darfur region of Sudan. They believe (well, they know) that some of this activity is carried out with the approval and even involvement of the government.

The data in question isn't prohibited in Sudan, but the people who have it don't want the government to see it, because they don't want the government to know who their sources are, because they don't want their sources murdered in the dead of night.

What is prohibited by law (I assume) is pornography. Not having any pornography doesn't prevent the government from trying to access your confidential data because (one suspects) searching for porn is just a pretext for searching the data in general.

Think of it like the War on Terrorism - the fact that you're not actually a terrorist is no protection from extra searches at airports, telephone surveillance, detention without charge, or whatever other powers your government (or that of a country you visit, or that of a country whose security service kidnaps you) has invented recently.

dannySeptember 14, 2006 9:59 AM

to the best of knoledge, laptop checks in israel are very rare (usually if you are in assosiation with a group that might be used by terrorist, some european peace-keepres are) and are only checked physically (to see that no explosives are in it). checking data is useless sence free wifi can be easly found, and data sent anonymously.

alforaSeptember 14, 2006 12:56 PM

The real problem begins when you try to get out of the country again and are asked at checkin if you packed everything yourself.

You would have to deny that because somebody else ("they") had access to your laptop while you were not able to watch...

Abbas HalaiSeptember 14, 2006 10:48 PM

@ABC
>If I was asked to enter my password and then leave the room, I would politely decline. You'd have to cause me some serious injury before I'd even consider it.

You probably could do that if you were a blonde caucasian, definitely not a Pak-Canadian like me who travels to Pakistan three to four times a year. Believe me, I'd end up with the serious injury bit quite literally.

>Couldn't you just set up a dummy login for situations like this?

That's a good idea which I plan on implementing now.

pigletSeptember 15, 2006 1:27 PM

I read about journalists complaining that Israel was inspecting their laptops on entering and leaving the country. I can't find the reference right now but as far as I remember, it is, or was, a "security measure" directed specifically against foreign journalists.

Stefan WagnerSeptember 15, 2006 7:32 PM

I ask myself, how long such a laptop-inspektion might take.
I sometimes got up to 10 options in the grub-bootmenu, but can those people interpret a grub-bootmenu?
Do they understand, that there are only 3 different kernels, starting from the same partition, and 3 different bootoptions lead to 9 bootentries?

You can use to grub to fool a shallow inspection: boot immediately without delay.

A seperate bootable medium like ubuntu, which looks serious, (because obviously not a self-burned medium) allows to mount your drives and rerun grub, to bring your real bootmenu back.

An inserted Bart-PE (Windows live-CD) would be too easily detected, even through a skin deep inspection.

Clive RobinsonSeptember 15, 2006 9:43 PM

@Stefan Wagner

"I ask myself, how long such a laptop-inspektion might take."

How long to put in a USB2 hard drive, a Knoppix CD, wizz up the partition table in an appropriat app and dd the partitions to the USB2 hard drive. Or if the partitions look odd (say a BSD install or somebody got cute) dd the whole drive as one image.

Then you can dump the USB2 hard drive to your chosen attack machine.

Depending on the hard drive size on the laptop as little as ten minutes.

If you are not technicaly competent go by an off the shelf forensic examiner package, they will also sort the wheat from the chaff in terms of interesting files in just a few minutes as well.

If you realy want to know the ins and outs try "File System Forensic Analysis", Brian Carrier, Addison-Wesley, ISBN 0-321-26817-2

Or search for Brian's documents online of which there are quite a few.

ShadSeptember 16, 2006 10:34 PM

To make sure the laptop is not compromised, there are few things that can be done. The physical integrity of the equipment can be checked by using tamper-evident labels over critical parts, the kind used for warranty-void-if-removed seals. The integrity of the files can be checked using a bootable CD with eg. Knoppix and a script that makes hashes of all files in the filesystems, and in case of Windows dumps the registry as text, and stores them on an USB disk. Then, once you get your laptop back, compare the files, and find the ones added/deleted/modified.

Temporarily installing a keylogger may be also beneficial, in order to reveal what was done during the check. Please do not neglect to share eventual such acquired intel on the Net.

Let's also not underestimate the often neglected option: boot ROMs. Many kinds of BIOSes can be patched and reflashed, allowing addition of custom code. This can be exploited for both attack and defense. Projects like Etherboot can be helpful here.

An exotic variant of defense would require patching firmware of the disk drive itself; this is more esoteric, as the firmwares AFAIK aren't readily available; many newer disks however allow firmware upload. Make it identify as a different, smaller type, unless the correct identification is supplied at boot time (perhaps queried for by the boot ROM patch). Hide part of the disk, not unlike a host-protected area (for lower-grade adversaries you can even use the HPA itself). Perhaps, if we want to be malicious, even detect if the disk access is sequential-only (a signature of disk imaging in progress), and silently start serving corrupted data. Even physical removing of the disk and its imaging in a different machine won't help much then; a new firmware would have to be flashed in, or a different disk system board used, or directly read the data from the disk heads, which is annoyingly slow and expensive; but that's the point - to cost the adversary more than you are worth.

But I don't know how to modify a hard drive's firmware, nor how much additional horsepower does its controller have.

A swindle we could use here could be a miniature HDD, mounted inside the casing of a conventional 2.5" HDD, together with some additional electronics. The advantage is the relative simplicity and achievability within a garage-based lab, using off-the-shelf FPGA technology. The disadvantage is that such modification is fairly evident on x-ray. This can be compensated for to a degree by using the FPGA for transparently encrypting everything on the disk, and a tamper-evident storage of the key which destroys the key when an unauthorized disk content recovery is attempted (eg. the disk/case assembly is being opened, or sequential read is attempted without unlocking the drive).

I suppose there are many more methods available, especially when we use a layered model combining real security measures (where the adversary has a well-equipped lab) with mere obfuscation (where we deal with a mildly bored customs officer).

WD MilnerSeptember 19, 2006 4:54 PM

Or use one of Segate's new Momentus drives with on board full drive encryption in hardware. Of course the laptop has to have a Trusted Computing Platform module. Now if you stored a Truecrypt container on and encrypted drive and ...

EZIGHTJanuary 27, 2007 11:12 PM

Why bother encrypting when you can just leave the hard drive at home and bring your laptop with a SLAX LIVE CD.

Just surf to your server at your home or use your personal storage space on an FTP server.

With all the live cd's floating around out there who really needs a hard drive when traveling about.

If you need a small distro and are limited on memory just slap in a D@m small linux CD.
50 meg of penguin power.

You would be surprised what they put into 50 meg.

Firefox browser
mplayer--for your mp3's
calender
organizer

just about everything 98 had in it.

Puppy linux is nice too ,has a feel of windows 98/2000

TJMay 23, 2007 7:16 PM

Ok, so I'm a little on the late side coming to this conversation. Entering Sudan in January 26th for an eight week stay, I didn't have any problems with the laptop, and none of my colleagues were bothered for laptops or iPods. Could be because our entry permits plainly stated that we were there in a capacity which was totally unrelated to Darfur, and that we were invited by a governmental agency. What I DID have trouble with was the Leica Total Station I was carrying. Customs kept it for a few days until some friends I have in aforementioned Sudani Government agency helped me get it out of hock.

Sudan also has security theaters that they play, and the police presence in Khartoum is overwhelming. Outside of Khartoum is great, at least the Northern State. Wonderful.

Going back to the airport at the end of March was a trip. All of the Americans there were selected for "Random Bag Checks." No one of any other nationality undergoes this, it's at a folding card table just inside the terminal gate (we were leaving through the Hajj Terminal for some reason, the International Terminal may be different). I was carrying three bags, and was asked which one I would like for them to open. Of course I gave them the one which would be easiest to reclose.

I must say that the security screeners I met were much more pleasant, professional and efficient than the ones here in the states, even if they were only there to get back at us for the way we treat Muslims at our airports.

On a side note, the Sahara is very hard on your electronic devices.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..