Crossing Borders with Laptops and PDAs

Last month a US court ruled that border agents can search your laptop, or any other electronic device, when you're entering the country. They can take your computer and download its entire contents, or keep it for several days. Customs and Border Patrol has not published any rules regarding this practice, and I and others have written a letter to Congress urging it to investigate and regulate this practice.

But the US is not alone. British customs agents search laptops for pornography. And there are reports on the internet of this sort of thing happening at other borders, too. You might not like it, but it's a fact. So how do you protect yourself?

Encrypting your entire hard drive, something you should certainly do for security in case your computer is lost or stolen, won't work here. The border agent is likely to start this whole process with a "please type in your password". Of course you can refuse, but the agent can search you further, detain you longer, refuse you entry into the country and otherwise ruin your day.

You're going to have to hide your data. Set a portion of your hard drive to be encrypted with a different key - even if you also encrypt your entire hard drive - and keep your sensitive data there. Lots of programs allow you to do this. I use PGP Disk . TrueCrypt is also good, and free.

While customs agents might poke around on your laptop, they're unlikely to find the encrypted partition. (You can make the icon invisible, for some added protection.) And if they download the contents of your hard drive to examine later, you won't care.

Be sure to choose a strong encryption password. Details are too complicated for a quick tip, but basically anything easy to remember is easy to guess. (My advice is here.) Unfortunately, this isn't a perfect solution. Your computer might have left a copy of the password on the disk somewhere, and (as I also describe at the above link) smart forensic software will find it.

So your best defence is to clean up your laptop. A customs agent can't read what you don't have. You don't need five years' worth of email and client data. You don't need your old love letters and those photos (you know the ones I'm talking about). Delete everything you don't absolutely need. And use a secure file erasure program to do it. While you're at it, delete your browser's cookies, cache and browsing history. It's nobody's business what websites you've visited. And turn your computer off - don't just put it to sleep - before you go through customs; that deletes other things. Think of all this as the last thing to do before you stow your electronic devices for landing. Some companies now give their employees forensically clean laptops for travel, and have them download any sensitive data over a virtual private network once they've entered the country. They send any work back the same way, and delete everything again before crossing the border to go home. This is a good idea if you can do it.

If you can't, consider putting your sensitive data on a USB drive or even a camera memory card: even 16GB cards are reasonably priced these days. Encrypt it, of course, because it's easy to lose something that small. Slip it in your pocket, and it's likely to remain unnoticed even if the customs agent pokes through your laptop. If someone does discover it, you can try saying: "I don't know what's on there. My boss told me to give it to the head of the New York office." If you've chosen a strong encryption password, you won't care if he confiscates it.

Lastly, don't forget your phone and PDA. Customs agents can search those too: emails, your phone book, your calendar. Unfortunately, there's nothing you can do here except delete things.

I know this all sounds like work, and that it's easier to just ignore everything here and hope you don't get searched. Today, the odds are in your favour. But new forensic tools are making automatic searches easier and easier, and the recent US court ruling is likely to embolden other countries. It's better to be safe than sorry.

This essay originally appeared in The Guardian.

Some other advice here.

EDITED TO ADD (5/18): Many people have pointed out to me that I advise people to lie to a government agent. That is, of course, illegal in the U.S. and probably most other countries -- and probably not the best advice for me to be on record as giving. So be sure you clear your story first with both your boss and the New York office.

Posted on May 16, 2008 at 6:10 AM • 111 Comments

Comments

Zach BeauvaisMay 16, 2008 6:49 AM

Thanks for the post. Any info on particular apps you'd recommend for encrypting SD cards and more importantly secure erasing?

KeithMay 16, 2008 6:59 AM

@Zach:
Truecrypt is free and easy to use. Even includes Bruce's own Twofish algorithm.

Peter MMay 16, 2008 7:09 AM

Your excellent blog contains more and more entries like this one that show that your country is heading, post after post, privacy privation after privacy privation, towards a dictature. NOTHING can justify the search of a computer's data at the border. Except, may be, state-sponsored industrial spying.

KristineMay 16, 2008 7:19 AM

@Keith: "Even includes Bruce's own Twofish algorithm"

Great. That means it has a backdoor known to The Squids. I don't want some weird sea animal reading my diary, especially after I wrote about the delicious octopus I had for lunch.


Kristine

Thomas WMay 16, 2008 7:52 AM

There is another solution: dont visit these countries. I dont like the idea because that means (for example) no more Defcon, but any solution will not work forever. One day they will find your hidden partition or the stick in your pocket and then they take it (and maybe sell it on eBay).

Greetings from Germany

Thomas

Particular Random GuyMay 16, 2008 7:59 AM

Just a question: Do they have microSD sniffing dogs?

DominicMay 16, 2008 8:01 AM

Question: Now that you..and everybody else on the net today...have posted these wonderful ways to hide information from Big Brother, won't Big Brother now know how to look for this hidden information? Or can we assume DHS doesn't use the net?
The first rule of disk encryption is we don't talk about disk encryption.

jdw242bMay 16, 2008 8:04 AM

our org uses SafeBoot and security HASPs and in some cases the HASP keys are mailed securely to the destination.
In this case, what could the border patrol possibly do, other than keep the laptop, if the user doesn't have the physical means to get the laptop unlocked?

SteveJMay 16, 2008 8:07 AM

@Thomas W:

Trouble with that approach is, if your own country does it then you can't visit any country, because you'll be searched on your way home.

Even worse, aid workers and members of groups like Amnesty regularly find themselves subjected to "extra attention". But if they stopped going to the countries in question, then they've lost their battle. Giving up isn't a good option. Of course they don't need Bruce's general advice via a newspaper article, since they're already doing the kinds of things he suggests.

Another solution is: only ever cross borders illegally in isolated areas in the dead of night. But again the treatment may be worse than the disease ;-)

"One day they will find your hidden partition or the stick in your pocket and then they take it (and maybe sell it on eBay)."

At least don't get your data, so that's not so bad. As long as the data is valueless by the time the encryption algorithms are cracked, it's no loss at all.

RoyMay 16, 2008 8:12 AM

If they take your laptop away for more than a few minutes, assume that they have installed spyware which will start informing on you when you next get online.

Oz OzzieMay 16, 2008 8:14 AM

So how do you know what is and isn't illegal to bring into a given country on your laptop?

RickMay 16, 2008 8:19 AM

I'm fortunate to have a separate laptop just for work that I take along when I travel. My solution to this problem is simply not to keep anything on it that's at all valuable or sensitive. Not only does this give border agents less to go through, it helps mitigate the consequences of a laptop loss or theft as well. Most of the resources I use are available on the network anyway.

pilotaMay 16, 2008 8:21 AM

@ Oz Ozzie

What is or is not illegal: whatever some overpaid, unionized scumbag border guard with far too much power decides.

LeslieMay 16, 2008 8:28 AM

Hmmm ... welcome to America. Bin Ladin is succeeding in taking down the principles on which the USA was founded by turning America into the land of paranoia.

bobMay 16, 2008 8:29 AM

Unfortunately my laptop is hobbled with Vista, so not only is there no way to make it RUN (as opposed to crawl), there is no way to get it to actually turn OFF either (no matter how many times you click something labeled SHUT DOWN); it is perpetually running the battery down in less than 1 week while "OFF" so it has to be keeping something alive.

@Dominic: I am pretty sure the DHS has not yet heard of that newfangled "internet" thing. I am surprised that they have discovered the invention of the jet engine. And of course they discount all rumors of a "constitution"; or are at least unconvinced of its applicability to them.

Carlo GrazianiMay 16, 2008 8:54 AM

Bruce, are there practical disk steganography tools available?

SejanusMay 16, 2008 8:57 AM

@Dominic:

If they don't see (hidden) disc, is that because there is no hidden disk, or is that because the disk is, well, hidden? If they don't see the second hidden disk, is that because...? ...don't see n'th hidden disk, is that because...?

See, information about _possibility_ of hidding doesn't help much.

EricMay 16, 2008 9:00 AM

How about putting your encrypted data on your digital camera's flash card? If it's out of the photos directory, the camera won't show that it's there, and it won't get in the way of the camera taking/viewing pictures.

bobMay 16, 2008 9:04 AM

So is pornography illegal in the UK? How about other forms of free speech, are they banned also?

Or is it, similar to Neuschwanstein prohibiting photography or ballparks prohibiting you from bringing alcohol in, that they just want you to buy domestically produced porn?

KnoNothMay 16, 2008 9:19 AM

Bruce, what is your personal opinion about that? Will that move help to stop anybody, who is not complete idiot?
I mean, it will not stop anything, except maybe some very low level criminals( who bring maybe porn or something like that accidentally to the USA ). So is it another security theatre episode or is there at least some point behind it?

Tom DavisMay 16, 2008 9:20 AM

Certainly the ninth court decision doesn't give authority per se to access VPNs. Nevertheless if the border guards copy your disk and memory, they will have access to it later. So any keys or certificates on disk used to connect to a VPN or an ssh tunnel should probably be activated (eg added to the hosts ssh's authorized_keys file) only after you get to your destination and more importantly deactivated (eg removed from authorized_keys) before crossing any borders.

This obviously requires some assistance from IT or perhaps an automated script on your host activated by something secure (like logging on to an https web site on the host).

FPMay 16, 2008 9:26 AM

My favorite storage device is my iPod. It doesn't care about the presence of any files that I put outside of its own directory tree. Eric already made a very similar suggestion above.

The presumption for all this is that the border searches are unreasonable, based on a belief that the government is exercising authority that it should not have. Besides trying to sneak around the issue, this is a political issue that needs to be brought in the open and resolved. I'm glad that the EFF and others are starting to fight on that front.

The government's argument can easily be extended to all data traffic that comes in and out of the country. The NSA is probably listening and sniffing to all cross-border traffic anyway, but you can imagine the US and other countries arguing that customs should also have the ability to monitor all traffic without reasonable cause. "If we can inspect every cargo container, then we should be able to inspect every IP packet crossing our border also." This can't be too far off, I'm afraid.

HarryMay 16, 2008 9:30 AM

@Dominic: the reason that articles pointing out these protections won't make the protections obsolete is that overcoming the protections takes specific computer skills and immediate access to good tools as well.

Anderer GregorMay 16, 2008 9:31 AM

Isn't it sad that we have to treat our own customs officers, or those of our host country, as malicious opponents these days? Shouldn't it be their job to protect us?

RalphMay 16, 2008 9:33 AM

@Peter M: It's not only the US, I'm afraid. Anyway, I'm looking forward to ANY software that provides FDE for the Mac!

aikimarkMay 16, 2008 9:37 AM

hmmmm....maybe it's time to get creative. Let's create a laptop 'battery' enclosure that is also a storage device, or can just house a storage device. You can carry a spare battery without raising suspicion.

JenEriCMay 16, 2008 9:39 AM

Another version of having a USB key with the sensitive data; have two hard drives. One you use and heavily encrypt and put away in your checked-in luggage (and have a backup of), and one small with nothing interesting on sitting in the laptop while passing the border.

RSaundersMay 16, 2008 9:40 AM

I'm not sure I agree with "Delete everything you don't absolutely need."

I prefer their work-factor to be as high as possible. I have Truecrypt archives of Crypto-Gram, and the Rand Million Digits encrypted with a dozen different programs, and I don't even keep all the programs on my laptop. I give out passwords to these items like candy, I even have a separate PasswordSafe full of them. When I finish a project, I always add it to by big hidden drive of hard to understand C++ programs.

No data has to look suspicious, the more you dig into my laptop the more convinced you are that I'm just what I say I am. It would take decades to find a stray tree, because I present a large forest to search.

Ed AbbyMay 16, 2008 9:46 AM

My travel laptop now consists of an old 550mhz machine that I've installed Windows 98 on. Then I left it connected to my router for two weeks.

If the border guards want a copy of that, they can have it.

Oh...and I have a VMware ACE keyfob in my pocket if I need to get some work done.

KaukomieliMay 16, 2008 9:47 AM

Our policy on this is handing out clean, locked down Laptops with GPRS-cards and have people dial in via VPN and work in Terminal Sessions.
This way the Laptop in Question can be stolen, lost or searched without compromising our data.

CharlesMay 16, 2008 9:49 AM

and how long beforE we are all iN franCe? Has anyone actually been pRosecuted for entering france with encrYpted data, or has that droPped off The radar? maybE the french fixeD it, only for the brits to criminalise refusing to Decrypt data the government thinks is encrypted. mAybe the way round This is to put encrypted junk everywhere until the UK and USA stop their crusade against privAcy.

Nomen PublicusMay 16, 2008 9:50 AM

The obvious solution is don't put sensitive data on your portable computer in the first place.

Buy a very cheap laptop and run a thin client package. Then when you need to access information, connect to a base unit at home over an SSL connection.

You can buy such setups ready to use rather than build your own - google is your friend.

Gone but not forgottenMay 16, 2008 9:51 AM

To Anonymous:

"The best way to deal with shit brained border guards is to wait for when they leave work and put a bullet in their head!"


I think the St. Paul police department would like to speak with you...

http://www.spotlightoncrime.org/...

khopeshMay 16, 2008 10:17 AM

You want 2+ encrypted filesystems. One stores your operating system and everything else that you don't really care about (but contains too much information to keep track of and clean), and one or more that stores your sensitive data. Separately encrypted areas would help ensure content revealed by a compromised system is limited to the data in that area rather than everything at once. For added benefit, make sure your decrypted mountings and passwords all time out.

In addition to your encrypted filesystems, you should have a dual-boot setup and a vanilla (un-encrypted) OS for show. You can start up this alternate system and demonstrate that you have a clean system (you can explain its emptiness by saying you just bought it used for a great price). Since the clean system doesn't mount your encrypted filesystems, they aren't apparent. If they copy your disk, they will hopefully get stuck on the encryption. Your boot loader should hide the menu and auto-boot into the dummy system. The menu should say something like "test" or "backup" for your real entry. If you want to be clever, the real system should appear to throw an error on boot that is really just prompting for a pass phrase.

Server-based models help a lot here, too. Put sensitive data under physical lock-and-key on a remote server and access it with encryption over the internet from any system that might be stolen or seized. Encryption should be in the form of a PGP or SSH key stored on an SD card in your camera or pocket. If they confiscate or copy the item holding your key, revoke it as soon as you can and get a new one. I'd love to see a personal web proxy that I could throw on my secure server that manages my passwords and client-side SSL certs for me.

Where should we donate money in support of fighting this? EFF? ACLU? FSF? The Obama campaign?

MichaelMay 16, 2008 10:19 AM

Or use a second clean installation of your operation system of choice which you use, when you are traveling. The other one stays at a secure place.

bobMay 16, 2008 10:49 AM

How about if you just delete all your files before you get on the plane, then restore them after you get to your destination?

@khopesh: I would be thrilled shitless at the prospect of a presidential candidate who was going to revitalize the constitution, but so far I have seen nothing that indicates ANY of the 3 current frontrunners will do anything to make the government smaller/limit its power/return liberties. The only choice in governmental anal intrusion seems to be add bloat/power to the welfare side from the left or military-industrial complex from the right.

Libertarian would be what you are looking for however that seems to be a systemic impossibility in the US cause the one way to get the left and the right to come together in a consensus is to suggest they share power with the little people (rank and file ordinary citizens, not leprechauns).

Peter BuchyMay 16, 2008 10:59 AM

I e-mailed this in, and was asked to post, and I'm not afraid of having my identity known, and I also hate stupid judges who violate the 4th Amendment. So, here's what I've got:

If you're willing to sacrifice a bit of your drive, I have a recommendation.

1. Set up a Windows partition to load, and either encrypt the rest of the disk or use a formatting system Windows can't even recognise.

2. Use a USB flash drive to boot your disk for the other partition.

When you show up at customs, go ahead, boot up the machine. They'll poke through the Windows partition and blah, they won't find anything. When you want to use the laptop for your own stuff, pull out the USB drive.

Especially with an encrypted partition, having to have two items to boot the machine, really makes it more fun. Unless I'm mistaken, by not having a password on the machine for the capability of cracking the encryption, it gets much harder for someone stealing a laptop to benefit from any sensitive data you have.

Peter N BiddleMay 16, 2008 11:16 AM

People I know in the intelligence community have said that they won't even power on a laptop that has been taken away for inspection at the border. They just destroy them.

I use BitLocker with 2-factor authentication (TPM+PIN) and Mozy backup runs everytime the PC sits idle. My laptop is insured through my corporation, and having run one restore from Mozy I can say that the experience is a delight. So losing the laptop isn't really catastrophic - it's a drag, of course. But not horrifying.

Note that some govts are supportive of industrial espionage, so there's no way to know if data they get won't wind up being handed to a domestic competitor.

Mcuh Ado About NOthingMay 16, 2008 11:31 AM

I am constantly amazed at how people seem to thinjk that just because something is on a laptop or PDA that it carries some form of special privileges.

Border agents already have authority to search your luggage, possesions, etc., for contraband (including porn). So unless one has diplomatic immunity, how is searching the contents of one's laptop or PDA any different than searching the contents of luggage or briefcases?.

ANd the arguement that the PDA or laptop is an extension of your personal identity because you keep personal items, ideas, etc. on them is bogus. If that arguement had any teeth, then someone would have used it in regards to searches of paper documents ages ago...

AliceMay 16, 2008 11:38 AM

How the Hell do you know about those pictures Bruce? Did Bob show them to you? He said he would keep them secret. I knew I couldn't trust him!

Daniel PawtowskiMay 16, 2008 11:44 AM

@McuhAdo:
OK, so Customs can look through the papers in your briefcase. Do they also have the right to make photocopies of everything in there?

killickMay 16, 2008 12:15 PM

I don't think porn is the problem. I think the problem is child pornography, which is illegal in US. Dunno about anywhere else.

Stephen SmoogenMay 16, 2008 12:18 PM

1) The right of privacy ends at pretty much any country border not just the US. There are legitimate reasons for it but a lot of abuses of that. This is part and parcel of most nations in the act of defending against large damage/small sized threats... but has been pretty much the state of things since the beginning of nations.

2) In the US and most countries, the border agents may not just be at the border. The US Border patrol will put up 'ports of entry' anywhere in the country (the same in many European countries also) to check that people are legally inside the country. There have been several stories of people who crossed over from Canada and then found themselves detained in South Dakota because they didn't have their IDs with them. This happens on the north side of the border too. I expect that laptops will be checked at such interior ports of entry also.

R. S. BuchananMay 16, 2008 12:21 PM

I take a slightly different approach to this: when traveling abroad, I take my work laptop (which is pristine, even WRT trade secrets, which live on the corporate VPN anyway), and for any non-work anything I reboot from a Ubuntu live CD so that I'm essentially using a throw-away box that isn't writing anything to the hard drive. Border guards can snoop all they want on my hard drive or the live CD and they won't come up with much.

As for paper documents, I still have yet to have anything I snail-mail to myself opened (or if it has been, they've done a bang up job of resealing the parcel). I suspect one could still do likewise with electronic media, but IANAL.

w23May 16, 2008 12:22 PM

I wonder what would they do if they encounter highly customized Linux (probably with some "weird"-looking wm, like wmii/dwm/ion3/xmonad/whatever) with several (onion) layers of encrypted partitions in areas of seemingly free space.

1915bondMay 16, 2008 12:26 PM

RE: SSL Secure?

See Palo Alto Networks' PA-4000 Series Firewall - Identifies and decrypts applications that use SSL, enabling policy-based visibility into and control over the ever increasing amounts of SSL traffic. (The CIA is a current customer using their firewall just for this purpose).

http://www.paloaltonetworks.com/products/...

jeffnoonMay 16, 2008 12:35 PM

> They can take your computer and download its entire contents, or keep it for several days.

I'm interested in how is this not theft? Particularly if there is no guidance as to how long they might be keeping it.

If all your data is in on an iso image and conforms to the DVD specification can you prevent them from copying the data due to copyright infringment and refuse to grant a license?

Peter BuchyMay 16, 2008 12:46 PM

Holding to the view that searching through information would be valid would basically make it that any data connection to a location outside the U.S., the government has the right to snoop on and police. However, it has been ruled that between two U.S. citizens, the government does not have the right to do so without warrant.

Verifying citizenship and the right to be in the country does not give border agents the right to inspect non-citizens property unless the non-citizen is already in violation of the law, expired visa, etc.

While power has been granted to Congress to make laws regarding commerce, private data stored on a laptop is not necessarily being used for commerce. Without proof that something in personal possession is going to be used for sale and/or proof that the item is not property already acquired in the United States, there is no basis for Customs and commerce interest.

Carlo GrazianiMay 16, 2008 1:16 PM

@1915bond:

I went to that link, and even downloaded their product datasheet, and I still have no idea what their alleged on-the-fly ssl decryption is about. Are they setting their box up for automated man-in-the-middle? If so, what about SSL PKI, do they just rely on people ignoring browser warnings about forged certificates? Or do they have a secret method of factoring products of large prime numbers?

Given their failure to document a claim that, if true, would appear undermine the technical basis for secure web commerce, I'd have to say they are probably pulling a fast one here.

Joe GrecoMay 16, 2008 1:42 PM

Bruce asked me to post the e-mail I sent him. This is a slightly longer version.

Bruce suggests that "Some companies now give their employees forensically clean laptops for travel", but this is a bit of a glossing over of an excellent strategy for dealing with laptops (and even desktops?) in general.

Given all the insane stupidity we've all seen with laptop thefts where hard drives contained "confidential" data, plus the tendency of employees to decide that it's fine to load extra crud onto a laptop, we still found that we had to maintain a small number of laptops for remote computing purposes (largely e-mail / web), and I found myself dreading that. So the laptop policy got thought through with a mind towards loss...

Using an automatic installation system (we opted for the open source "Unattended" package), we've built a system that can netboot a laptop, and it wipes the disk, formats, loads XP, installs TrueCrypt w/ tcgina, and all the other stuff needed. I haven't quite figured out how to automate installation of Windows SteadyState just yet, but basically the idea is that you can plug in, netboot, and have a clean computer, all patched up to the very latest revisions of everything. Pretty hard to stick extra crud on it, and the laptop defends itself pretty well.

Quite frankly, we didn't do this for international travel purposes. It's more of a standardization and administrative thing (I'm an old time UNIX guy and we've done scripted UNIX server installs for many years). It has many advantages, and minimizes the risk levels associated with the loss of a laptop - or any data inadvertently contained on it.

Other techniques, such as retaining a Ghost- or other disk-image of the originally installed drive, also allows you some flexibility, but the capability to just twiddle a few bits and have everything freshly installed with the latest up-to-date goods is amazing. I just integrated and loaded XP SP3 this morning for the first time...

Scripted Install Benefits:

We can lose a laptop without too much concern (any critical data is encrypted).

We can reload a laptop with latest software by spending a minute during the initial boot to have it netboot, then it takes maybe an hour to load itself. All software packages are brought up to date. A side effect, it discourages keeping inappropriate data locally, by destroying it.

Anyone cloning the drive gets to see a nice clean XP install. The NSA might actually be able to break TrueCrypt and see the boring e-mail and web browser cache stored on the TrueCrypt drive.

A replacement laptop is easily provisioned. It will look pretty much just like the last one.

Worried about coming back into the US? DBAN your drive before coming back in. It's not a problem, you'll just reload it when you return home. Obviously assumes you don't need the laptop in the meantime.

So, while it is definitely worth thinking about "what do I store on my laptop," it is also worth giving some thought to the process used to generate that laptop OS image in the first place.

sooth_sayerMay 16, 2008 1:48 PM

And don't forget to carry your tin-foil hat; it's almost necessary while reading this blog these days ..

Come On .. is it really this bad .. I have entered country numerous times with a laptop .. and yes I could look suspicious; but no one has ever bothered me .. oh except in 1982 when some Italians in Milan surrounded me as I got off the plane. They were sure they were making a major drug bust .. there were at least 30 of them .. and me all alone ..what a pity that I disappointed them hugely.

Anon for nowMay 16, 2008 1:48 PM

@1915bond:

I echo Carlo's questioning. The network manager at my place of work has been touting 'one of two firewalls in the world that can decrypt SSL'.

I'm waiting for the Russian mafia to buy the third.

Maybe Bruce can use his celebrity status to get some answers :-)

ZGMay 16, 2008 1:49 PM

Here is an obvious solution ... don't go to the US. Thats what a lot of us Canadian types are doing more and more (or should I say less and less) of each day.

Its just not worth the hassle.

SanjuroMay 16, 2008 1:54 PM

I agree with and support the need for laptop security via HD encryption and other means. However, if you just want to avoid border guard hassle why not just box up your laptop and send it to your destination via Fedex or UPS? I realize there is some risk with this method and it is not practical or appropriate in all circumstances but in situations that don't require "five 9's" of security this would seem a practical solution.

SteveMay 16, 2008 2:04 PM

I'm with Bruce all the way except for the part about saying "I don't know what's on there. My boss told me to give it to the head of the New York office" unless that's actually true.

Telling lies to the ICE is probably not the brightest thing to do.

#ZGMay 16, 2008 2:08 PM

What do you do about Canadian Customs wanting to search everything when you return to Canada from wherever else you've been? US Customs aren't the only ones doing this.

MarcosMay 16, 2008 2:24 PM

@Keith: "Truecrypt is free and easy to use. Even includes Bruce's own Twofish algorithm."

Yeah, but the officers can still force you to deliver your passwords, until they are convinced you don't have any other one.

@Dominic: "Question: Now that you..and everybody else on the net today...have posted these wonderful ways to hide information from Big Brother, won't Big Brother now know how to look for this hidden information?"

Real security works on the clear. If you carry no important data at your laptop Big Brother won't know how to get it, even if they know every step you took to clean the data.

@khopesh: "In addition to your encrypted filesystems, you should have a dual-boot setup and a vanilla (un-encrypted) OS for show. You can start up this alternate system and demonstrate that you have a clean system (you can explain its emptiness by saying you just bought it used for a great price)."

That is cool. You can have a perfectly working (not empty) and only system, except that when your memory card is plugged it uses the card's documents, instead of the HD's ones. I guess that would also be possible to discover, but you'd disapear between the Average Joes. The memory card could also be a cache of a sshfs mount for extra flexibility :)

AgitMay 16, 2008 2:49 PM

@pilota
You can thank those "unionized scumbags" for the fact the you have an 8 hour workday, paid time off, and sick time.

Oh, and for workplace safety guidelines, and lunch breaks, I could go on for hours about what "unionized scumbags" have done for your work life.

John HarroldMay 16, 2008 2:53 PM

I was wondering if anyone would comment on Apple's encrypted disk images that any user can created using the disk utility that comes with OS X.

I use gnupg and vim for encrypting text files with website passwords and financial information.

But for large less important things, I stick thoes in an encrypted disk image. Apple uses 256 bit AES encryption. This is simply more convenient.

Much Ado About NothingMay 16, 2008 3:06 PM

@Daniel Pawtowski
Most likely they do if it is for potential evidentiary purposes. They also have the authority to confiscate them. Which - again - is no different than what they are doing with the laptops and PDAs, etc.

Get over it people - laptops et al are merely another storage medium, not a special privileged sanctuary.

Dave BerryMay 16, 2008 3:22 PM

Presumably one should start with a risk analysis and a threat analysis. Risk: Do you have any information on your laptop that is valuable to anyone else, or illegal in the country you are going to? (Personally, I don't think I do).

Threat: What makes you so important that the border guards will pick on you? What percentage of people are searched in this way? Is there any evidence that the border guards misuse any data they check while searching for illegal material?

Then ask whether the combination of risk and threat is severe enough to warrant the time and effort spent hiding your data. Also, is there any risk from doing so - e.g. will the guards be more suspicious and so more likely to impound your laptop (or even hold you up)?

Isn't the larger threat more likely to be the possibility of losing your laptop or having it stolen? Perhaps you should guard against that threat first. (The solution may well be similar).

BolMay 16, 2008 3:34 PM

When travelling with some sensitive data, I frequently use the keyfile feature of TrueCrypt. Usually the volume is protected by a password (which I know) as well as a keyfile, which I can get remotely from company server via VPN. During the actual travel, in the courier mode, the keyfile is deleted (by means of SysInternals' utils). Also, I keep various certificates, VPN and SSH keys and the like stored in another TrueCrypt volume, this one protected only by password.
Another funny trick is to have (in TrueCrypt terminology) an outer volume protected by some password. Then have a hidden volume encrypted by this very same password plus a keyfile... "Honestly, officer, I swear I have given you the correct password! Don't you see it mounts a volume full of innocent data?"

khopeshMay 16, 2008 4:53 PM

RE: SSL Secure?

@1915bond: I agree with Carlo Graziani; the only way that that Palo Alto device could work would be to launch a man-in-the-middle attack. So by "decrypt" they actually mean "phish" or "socially engineer" (though I'm bending those terms a bit).

Bottom line: Don't accept certificates that aren't signed by trusted/verified authorities, and check your URLs. I summed this up pretty well in a slashdot comment aimed at dispelling the idea of TOR's usefulness w.r.t. security, http://slashdot.org/comments.pl?...

New and upcoming browsers will be better at fighting SSL forgeries, but we still have a lot of ground to cover.

Christopher SoghoianMay 16, 2008 6:07 PM

In your article, you advise people to encrypt their data, and
place it on a portable US key. You stated, " If someone does discover
it, you can try saying: "I don't know what's on there. My boss told me
to give it to the head of the New York office."

So essentially, what you are advising here, is that people lie to a US
customs agent. This is a felony.
http://library.findlaw.com/2004/May/11/...


Title 18, United States Code, Section 1001 makes it a crime to: 1)
knowingly and willfully; 2) make any materially false, fictitious or
fraudulent statement or representation; 3) in any matter within the
jurisdiction of the executive, legislative or judicial branch of the
United States.

Bruce - you should not be advising people to do this. You have the right to remain silent, but you do not have the right to lie.

The best thing you can do, is to not have any data on you (encrypted or not encrypted), that way, you cannot be put into a situation where you have to lie.

DanMay 16, 2008 7:08 PM

I'm not going to take the time to read 61 comments, so if this a duplicate, please feel free to delete.

IT IS VERY VERY SIMPLE TO BYPASS THIS MESS.

Put a remote control app on a write-protected USB stick, go to ANY Internet connected computer and remotely control yours.

Done deal. No traveling data.

AnonymousMay 16, 2008 7:32 PM

I use all the following to scrub my laptop, every day, at the end of every single browsing session.

Evidence Eliminator (fee/licensed)
EasyCleaner (Free)
PurgeIE (fee/licensed)
PurgeFox (fee/licensed)
CCleaner (Free)

I also clear all Alerts & Logs on my firewall.

Followup with Unlocker to free those pesky items Microsoft does not want you to erase; Index.Dat, *.ie5, *.tmp files and a few others.

Note: you must screen your documents and settings files to ensure you include anything not normally cleaned by these utilities and custom add items, files, and folders that are missed.

Yes, I travel, Yes, this works well for me.

Doug CoulterMay 16, 2008 7:33 PM

@PeterM

Yup, that's the distressing thing indeed, having once been the subject of extreme government scrutiny myself. I do some chemistry for a hobby, am rich, and therefore must have been cooking meth! Even though I was making serious bucks consulting, far more than I ever could have through that illegal path.
Legal seemed less hassle, and hang out with a superior crowd as well. And the problems are more fun too.

I am upset at these developments. And, with some expensive legal experience (they don't pay for your lawyer if found innocent, you know, or, as in my case, they simply changed their minds and dropped the whole thing) I'd say that virtually all of the above approaches utterly miss the point. The mere presence of encrypted data (perhaps just "encrypted" by being in some Linux format, rather than windows) is itself evidence of criminality in their minds. I found firsthand just how ignorant they can be, and I didn't like it one bit -- nor did my also completely innocent employees who got pushed into the mud face down and handcuffed. I did turn it into some consulting income, so a few of them are a little less ignorant now, but I doubt it had much overall effect. The government is BIG.

And, had they even done minimal homework, they'd have found I used to work for "an agency of the government" myself and held one of the highest security clearances possible -- I'm one of the good guys! They of course did do this homework later when forced to by my legal team, and did apologize after a year's worth of legal threats hanging over my head, and all the hassles of multiple court appearances, evidently just to harass me and waste my time -- the ridiculous case never went to actual judgment. Which in turn cost me many billable hours of consulting time. So in effect, I paid double lawyers fees.

They apparently equate ability to do something with the intent to do the worst possible thing with that ability, and it sells well in court. It just wasn't the case here, but I paid a high price anyway.

Now, who is to say that once they have your stuff, they can't just put whatever they want to on it (maybe even by accident, they're not real competent) and convict you for that if they want to for some reason? They allow ridiculous evidence chains in court still, with auditing that is a joke, and with audio edit tools I wrote myself, I could make anyone say anything in their own words so well God himself couldn't tell it wasn't real -- and I've seen the FBI's forensic labs, I fixed their DEC computers in the '70s -- they stink, even for the time, and at least at the time had no one to dust off the voiceprint machines, let alone know how to use them. I suspect video can be done in the same way, just a little more computing needed. And DNA, don't make me laugh.

Where are we heading? Seems the real terrorism and security threats to every individual I know are not from outside, but from our own officials. We've somehow let the fox be the guard for the henhouse.

And if you think it isn't terror to have guys in black camo bust through the door and point machine guns at you, manhandle you, refuse to ID themselves, and charge you with a bunch of fake felonies -- I'd suggest the experience as a real eye opener. Just don't make any sudden moves when it happens to you -- those guns were loaded, and they were acting like THEY were on meth. Very, very scary.

So, who do I vote for to get rid of this junk? Both parties seem to like the increased power this security theater conveys on them, so what choice do I have? Here's a soapbox, the ballot box doesn't work -- by design -- where's that other box? And it wouldn't be any use anyway. Never thought I'd ever have to say that in my lifetime.

And probably shouldn't use my right name, but heck, there's something to standing up to be counted.
Honor is the only thing worth having at the end of the day.

aikimarkMay 16, 2008 9:44 PM

@Christopher Soghoian

If you have not looked at the encrypted bytes, then you are not lying if you were to use the Bruce-suggested "I don't know what's on there." statement.

Depending on the encryption software, you might also be accurate in quoting the definition of an encrypted area as being indistinguishable from the random byte pattern created by wipe/clean utilities..."Should be random bytes, like you'd expect to see after wiping a hard drive."

If you want to be super-accurate in your statements, you could actually run a wipe utility against the drive.

Lawrence D'OliveiroMay 17, 2008 12:17 AM

Re the Palo Alto networks thing--could they have access to a "friendly" (i.e. compromised) root CA? So any SSL cert that comes past, they can simply fake their own version, with the exact same identification info but their own private key, before passing it on to your browser, which will happily accept it.

ThoughtlessMay 17, 2008 6:34 AM

Quick question. Can't you get busted for exporting U.S. made encryption technologies into other countries? For example, carrying algorithms on a laptop out of the U.S.. I'm not asking about the data, just the algorithms.Would that be an immediate felony unless you decided to cooperate?

evraeMay 17, 2008 3:53 PM

How about installing a computer game with large image archives, and renaming your encrypted files to look similar to the resource archives of the game. Without extensive analysis nobody will know the difference, and they won't look suspicious. You can't be expected to be able to open the archive because it is proprietrary.

Alternatively you could encrypt two documents into the same file, with two differing passwords. One innocuous, one sensitive. When asked for your password you give the appropriate one. If asked about the large size explain it away as random padding.

The best type of encryption is one that nobody knows exists.

crysazMay 17, 2008 6:03 PM

Let's turn this situation upside down. Upload your laptop with most grousiest porn you can think of, still leagal, and let your self to be searched.

At least then you can hand it out with nice smile :)

MikaelMay 18, 2008 4:11 AM

@Christopher Soghoian

First rule of citizenship is to always lie to the authorities. They are the enemy of the citizens and you should always lie to the enemy.

steelneckMay 18, 2008 6:13 AM

@Mikael:
Yea, that is exactly the doctrine Bush and his junta are living and ruling by, but since they are "the ruling class" their first rule is to always lie to citizens. The doctrine can be described as straussism.

frankieMay 18, 2008 9:18 AM

RE: SSL Secure?

The comments here made me very curious, so I checked out Palo Alto Networks' site. Quoting from page 5 of
http://www.paloaltonetworks.com/literature/...

"Forward proxy: Inserts a proxy into an “outbound” connection where an internal user is connecting to a server, ie. an employee establishing a connection to https://www.wellsfargo.com or an Intranet server. The SSL decryption engine responds to the client as if it was the server and initiates a connection to the server as if it were the client. In responding to the client, an SSL certificate is dynamically created to match the destination server. This certificate will be signed by a root certificate on the forward proxy. To keep the client browser from seeing a certificate error, the root public certificate should be loaded on the client’s browser."

So, I see no trace of mystery or snake oil: while it's obviously a MITM technique, it's not trasparent at all. Which is consistent with how this product is marketed, i.e. not a hacking tool but an infrastructure component for the protection of companies' information assets.

On opening outbound SSL connections, users of a network where such equipment is installed will see a warning from their client application (browser, OpenVPN, whatever) unless it has been configured to accept a new CA by the users themselves or by their System/Network Administrator (side note: at least here in Italy, thanks to the Unions, employees must be informed if their communications' content may ever be subject to monitoring by the employer).

Clive RobinsonMay 18, 2008 10:07 AM

First off why oh why in this day and age are people wandering around with sensitive data on items that "crack heads" think will by them there next pipe refill? (Accept the fact your worst enemy will have it stolen from you for a small price).

Secondly why oh why do people insist on using an OS from MS for doing anything sensitive on? (Accept the fact that all MS OSs spray confidential information like a fine mist all over your hard disk as will most other OSs and that MS give the tools to find it to their favourd friends).

Thirdly why oh why do you need to carry sensitive information with you? (Accept the fact that if it's on you then not only can it be taken from you then it will be for the right price).

Forthly why oh why do people travel to meet other people? (Accept the fact that apart from tradition it's usually a very great waste of your and their time and money).

With thought and a little care most of these become irrelevant points.

If you realy must wear large carbon boots and stamp your way to the four corners of the earth and have an absolute imperative need to have sensitive data with you when you meet folks then ask yourself what the real cost of losing it (and potentialy you freedom as well) is to you?

Then ask what the cost is of not having sensitive data or laptops etc with you when you are actually traveling (as oposed to being at the destination) ?

As noted above it is not difficult to design a CD or DVD with the appropriate tools to either set up any PC or laptop with "your environment" on it (but no sensitive data) on it or as a diskless client. Further buying, renting or borowing a laptop or PC is not that difficult in most parts of the world the majority are likley to travel on business to. Also you have no need to actually carry the CD or DVD you can just leave an iso up on the web and blow it on to media when you arive...

Finaly as for the "key file" required for access to a VPN or other secured network. Is it to hard to encrypt the file with two one time pads?

You send one pad to the person you are going to see via Fedex or SnailMail or EMail, the other gets posted to some user group or other random place on the internet (a throw away WebMail account for instance).

The "Key file" only gets encrypted and sent to you by one of your colleages after you arive at a known location and have told (proved to) them you are safe and secure.

When you walk through the "black glove and torch" post at the arival airport etc you are clean (no PC, laptop or USB key or anything else). The only thing they can do is "rubber hose" you but that is a waste of time as your work colleague has not made the "key file" encrypted it or sent it to you.

If you are realy paranoid you can use a chosen phrase to your work colleague where if you use the wrong word or don't say it then they encrypt up a bogus key file that gets access only to a dummy account.

Also if you are realy paranoid you could have two or more OTP files tucked away on the internet. One gives you the real account the other gives you a bogus account.

The simple fact is that with a little thought you can easily bypass this sort of idiotic boarder security with little or no difficulty.

But my main point is still why bother puting yourself at risk in the first place. Stay at home and be more productive oh and make it a marketing pluss point as you will be in vogue by being nice to the planet as "green is this years black" ;)

Roger DaltreyMay 18, 2008 2:57 PM

Seriously? I think you were accosted at customs and scanned for child porn one time, probably because you resemble Pete Townsend. It doesnt happen anywhere near as seriously as you say, and its never happened to me either, even though I look like a terrorist.

mooMay 18, 2008 3:15 PM

Canadian customs has never hassled me as I returned home from vacation, or whatever. I don't travel much (maybe once a year) so I'm not a statistically significant case.

I did stop travelling to the U.S. shortly after the Patriot Act was passed, though. It has been interesting (and annoying) to watch the U.S. quickly and quietly descend towards fascism, while the population remains largely oblivious to it. I once wanted to work in your country, but I have no interest in setting foot in the U.S. anymore. Not until you get some regime change and repeal some of the more grotesque laws that have been passed there in the past 8 years.

Robert AccetturaMay 18, 2008 4:38 PM

Many people have pointed out to me that I advise people to lie to a government agent. That is, of course, illegal in the U.S. and probably most other countries -- and probably not the best advice for me to be on record as giving. So be sure you clear your story first with both your boss and the New York office.

Lying may be, but you can always remain silent and play stupid.

Besides... couldn't one argue on the same level that encryption for the purpose of crossing the border is nothing more than obstructing justice?

#386287462May 18, 2008 8:00 PM

Am I missing something here or does this American policy look more and more like the Nazi stuff? Do you still remember when the US fought against these bastards?... Yeah, I know, times change, people change...

Anyway, the way I see it, there's only one good thing that will eventually come out of this: as corporations and governments are not willing to let some wannabe-dictator-government get their hand on important information, there will be an enforcement in real security mechanisms to protect it. That's the funny part of this story, I mean, as encryption mechs like TrueCrypt start to be used, security will actually get better. At least in the long run...

Brian GreerMay 18, 2008 8:21 PM

Great advice, whether it is all "legal" or not. When confronted with bad law, you sometimes have to resort to a brand of "civil disobedience."

It is rather unfortunate that the government has put itself above the individuals that actually power this country. When I really look at the facts, I don't find these new privacy invasions to truly be about protecting society. I see them to be primarily about protecting the government. Personally, I'd rather live with the specter of terrorism than a never-ending erosion of our rights and liberties.

BillMay 19, 2008 4:30 AM

How many people cross the border per day - if we esitmate a conservative number of 1000 and everyone of them brings a laptop and then everyone of them refuses to disclose the password, how long before the Border Patrol (sounds like something from a bad film) goes into meltdown?

AndrewMay 19, 2008 7:45 AM

Re MITM SSL watching,

This can be done for outbound proxies of an organisation quite easily. Using a domain integrated root cert (added to all images as part of the domain config) the appliance requests the site cert in real time. It then shows as valid to the end user, although the chain goes down to the corp root rather than verisign etc.

Andrew

Winston SmithMay 19, 2008 11:14 AM

You thought criminals. How dare you try to hide information from the caring government you elected. It's for the children. Freedom is slavery.

ogieMay 19, 2008 1:15 PM

Right before i traveled to the UK a few weeks ago i read about customs checking laptop data. And i came up with a simple plan for hiding my data, i took all my docs and pics and put them on my mp3 player. Buried them deep in a folder containing beatles albums. when i went through customs, they looked at my laptop and found nothing, then they checked my mp3 player. The agent scrolled through a few folders in looking at what i had on there and then gave me it back without copying any data.

Jed kept his family fedMay 20, 2008 1:12 AM

In my opinion, the only way we'll ever see Microsoft "come clean" is if the DOJ ever gets some real balls and decides to go after it with a real punishment for its monopoly, which continues today on desktops, and seeking to start on the web again with Silverblight (Silverlight), just google for LOC and the deal with Microsoft which happened within the past few months. IMO it's the same as Microsoft Windows in libraries and classrooms, once you get the people hooked with something they feel that they "need", in this case more Microsoft shitware, people perpetuate the lock-in cycle. Look at how you feel you *need* DirectX? This is another artificially created need by Microsoft.

It should be argued, at least for PC gaming, they have a monopoly on the desktop with gaming, as most people need to use DirectX properly in order for the games to work. Sure Wine, Cedega, and other projects are making some progress and some games may work, and believe me I try every few weeks to see how it is coming along, but again Microsoft still continues its dirty deeds. They lie about Linux and Windows interoperability, "They said it couldn't be done!" Novell agreement bullshit just like the Corel agreement in 2000 or 2001, where Corel Linux was promptly spun off and money/support from Corel to Wine apparantly dried up. Time and time again they come in and either buy out or pollute the environment with thier proprietary crap, and we read another dismal Microsoft article after article every few weeks or more.

If Microsoft is so devoted to bringing Linux and Windows together, I don't see anything on their vast labrynth of shit at Microsoft.com indicating this. Where is the repository of interoperability Linux and Windows software on Microsoft.com? Oh, but you can still get their bullshit "Facts" on Windows and Linux, and that's about it. At least Google has a repository you can add to your Linux install for software from them. In my opinion, don't think Moonlight ("Ever danced with the devil in the pale moonlight? I ask that of all my friends") will last much longer or work well for Linux users should Silverblight (Silverlight) suddenly become popular through payoffs and slight of hand corporate tricks.

If you ever want to have Microsoft come clean, no, I don't believe it would ever happen unless the DOJ finally came down hard and raided their offices, took their hardware and software and forced them to release the code and all of the various undiscovered backdoors waiting to be found, it just won't happen. IMO, Microsoft has demonstrated time and time again it will fight tooth and nail against any punishment against them.

We will all be cleansed if true justice were ever to prevail, but in the "United States of Advertising", most of the people in power are paid off, with big pharma and other corporate overlords always padding the handshakes and votes. It is a lost cause, you know it, I know it, but you'll still piss away your vote to one of the two parties who bend over for big pharma to slide in the money and the overpriced medications pop out the other end as we all struggle under the yoke of this dismal fucking world.

Come clean? Microsoft? The whole system is mired in filth.

Good luck.

We now return you to your normal life, ostrich head in the sand, millions of tokers/beer drinkers who raise their fist while watching Fight Club and return to their soap opera pitiful lives of slavery as the credits roll.

Vote for Wesley Snipes for President in 2008, neither one of the big parties will get anything done, they are a part of the problem. Slaves who perpetuate this broken system will mod this down and continue their sleep.

sleep... sleep.... consume.... and sleep.... zzzzzzzz....

bookmark boycottnovell.com to keep track of microsoft mafia

AnonymousMay 20, 2008 7:55 AM

@Christopher Soghoian

It is only illegal if you are _caught_ in the lie. And the only way that can happen in the instant case is to admit it.

Simple solution: don't admit it.

In a sane, free, and just society, no jury would convict.

Your "best solution" of basically not carrying a laptop across a border is, well, impractical, no?

And you are more than a little dishonest to suggest you have the "right to remain silent" at a border. What's next, you have a "right" to be free of arbitrary search and seizure at an airport security checkpoint?

Of course, all of this bickering is just over Brand X or Brand Y of fascism. Why not step back from the situation? If seizing data in laptop computers is perfectly fine, then it _MUST FOLLOW_ that censoring cross-border computer network traffic is also Just Fine too. Sneakernet vs. ethernet: the difference is only one of media, not content.

homoduocerebrusMay 20, 2008 9:12 AM

The next thing will be random domestic searches. I also expect we'll soon see border guards planting porn on computers to extort money from travelers.
Maybe if we just give Al Quaeda or whoever unbreakable encryption these idiots will see it's all pointless and we can go back to being free.

An axe is a practical low tech way to bring down a network, next you'll need a federal permit to chop wood. Did anyone really vote for these idiots?

Want to start a run on a bank?
Just get 20 friends to open an account at the same bank, deposit $3000 each, wait a week and all go in at the same time and try and withdraw it. Pick a prominent branch on a busy road during peak hour traffic. The banks don't have enough cash in any branch and would have to get it from other banks, meanwhile you all line up outside shouting "give us our money". Call a news crew and radio talk show or two - Watch the rumors spread and the bank's share price drop. There'll be people lining up outside their branches everywhere in no time. Short their shares beforehand. Money for jam.

So much for the rocket scientists, hows cyber security going to prevent that?.

tk.May 20, 2008 2:49 PM

I came to echo the suggestion that ogie made: the odds of someone suspecting that they need to data-dump your iPod are low, and in a worst case scenario you can get the RIAA to help cover your court fees since they illegally copied music that they didn't "own"...

For that matter, might that not apply to any other media that might be stored on your laptop (not just music but other media and applications)?

homoduocerebrusMay 21, 2008 7:47 AM

Nice idea tk, and ogie was just lucky, and they'll just give themselves immunity and do a deal with the RIAA to check if your music is legit, and get subsidized [and have their own great pirated music collections].

Next comes Microsoft getting them to check if your Windows is legit. Better carry that certificate.

Don't be borrowing anyone else's computer and if IT give you a 'clean' laptop to take with you, make sure they also give you a letter saying exactly what is on it.

Viruses are probably illegal to import so make sure you don't bring one in accidentally.

Finally, aren't there laws about exporting strong encryption?
Better not make that file encryption too strong. Potentially stopping over in one country that prohibited exporting encryption to your next destination could see you locked up.

I see a potentially lucrative market in 'hidden' secure communications services and disguised memory devices and maybe even coders too.

Talk about opening an extremist can of worms.

Ryan May 21, 2008 9:47 PM

Yes your laptop can be searched at the border. However, in November of 2007 there was a federal court case that stated a person cannot be compelled to give up their password if the computer is encrypted. In the same case, the government tipped its hand by saying that PGP encryption software would take years to break, if ever. So PGP is fool proof unless a password sniffer is placed on your computer

FargoMay 23, 2008 8:52 PM

Friends of mine in the private investigation business seriously assure me that France has the technical capability of scanning and copying laptop hard disks when the laptop goes through the x-ray machine at the security gate. Though I regard these friends as credible they are not IT people so I question their claim. Does anyone know whether such hard disk scanning is possible?

Clive RobinsonMay 25, 2008 12:05 PM

@ Fargo,

"... copying laptop hard disks when the laptop goes through the x-ray machine at the security gate."

Probably untrue for a very simple reason "the laws of physics".

Or to put it another way how long is your laptop in the machine? - maybe 15 secs.

What is the total amount of data that can be stored on your laptop hard disk? - 2^40 bits.

Now calculate the bandwidth required to move that amount of data in that time its something like 2^37 or 1.3E10^11 or 130GHz.

Not impossible but highly improbable.

Then there is the problem of actually getting the data off of the multiple surfaces in the disk, which would be a very interesting bit of kit indead.

It would be far more likley that they would put malware onto the laptop to enable remote access (and yes this is not just theoreticaly possible with laptops that are not truly shutdown).

Frank LeeMay 27, 2008 2:48 PM

I'm amused by how many people have security plans based on accessing the Internet once they reach their destination. Sounds like a lot of folks haven't traveled outside their home city.

It might come as a surprise that the current 1 billion Internet users (worldwide figure for 2008) cluster around big westernized cities. Try getting a reliable or convenient Internet connection from the rest of the world. (As technologists we often suffer from myopia.)

Simply put, if you have "secret" data, don't travel with it unless you absolutely need it. If you do need it, there are plenty of good suggestions above. And with a little imagination, you too can advance the field of steganography.

Remember, the only safe secret is one that no one realizes is a secret.

PS: Definitely agree with previous comments, don't "even power on a laptop that has been taken away for inspection at the border."

Billy CamlinJune 15, 2008 3:11 AM

A clever way of encrypting sensitive data would be to use a steganography program such as Snow. Hiding in plain sight by embedding info in an image file either in an encrypted or unencrypted form would generally be overlooked by all but the most savvy customs official.

AreyouNUTS?June 16, 2008 9:22 AM

To Doug Coulter:

Man, I would be very interested to find out WHAT happened to you. I mean REALLY interested. Maybe I can avoid it. Maybe, I can't!

Heck, I have left the USA since 2003 (besides, I wasn't from "here" anyways). After the "DAY" - everything became worse, so I decided to leave, but I am really curious to what happened to you.

Drop me a line.

Thanks,

Just a bug (don't crush me :) )

nurblesJune 16, 2008 10:01 AM

Regarding the common misconception about passwords that "basically anything easy to remember is easy to guess"...

It is almost trivially simple to come up with passwords that are easy to remember yet nearly impossible to guess. For example, how about a password made up by alternating your last few phone numbers with names ot pets and/or birthdays? You could easily remember a 20, 30 or event 40 character password that way. Or may using the Nth letter of each word from a favorite quotation (assuming that doesn't result in a meaningful, simple sentence or word). There are just too many of these to list, and they would seem to result in very long passwords of pretty much random letters and numbers (and one could include punctuation to make them even trickier).

Why don't any of the people proposing strong passwords ever suggest these things? I mentioned it to a manager at the local Lowe's and later found out that he now required everyone to have passwords at least 10 characters long including letters, digits and punctuation and is using my suggestion to help people choose complex passwords that they can actually remember -- instead of writing them down and secreting the written password at their station (which was the original cause of the new password selection requirement).

atomanticJune 16, 2008 9:23 PM

hmmm, on the other hand:

1. Record a song, some home movies, etc…
2. DRM your files
2. Go through airport security
3. Sue the border agents for copyright infringement in violation of the DMCA
4. Get awesome press coverage outlining the stupidity of both the DMCA and this ruling

DGenerateKaneJune 17, 2008 10:46 PM

I wonder what they would do if there was no battery or power cord with the laptop.

Mike June 21, 2008 9:16 PM

While customs agents might poke around on your laptop, they're unlikely to find the encrypted partition. (You can make the icon invisible, for some added protection.) And if they download the contents of your hard drive to examine later, you won't care.

I'm coming into this late, but I didn't see anyone else comment on this. Surely you care a lot? They know who they took the laptop off, they can come knocking on your door demanding the password. I'm pretty sure they are entitled to do so here in the UK at least (the US has no monopoly on invading people's privacy, alas).

LorneVallenJune 27, 2008 3:17 AM

The only prosecution I know of so far is a guy with child porn in his laptop.

Adult porn may not be illegal, but child porn certainly should be.

RobertAugust 4, 2008 9:56 AM

In praise of the 5th Amendment. The best advise is not to lie, but to decline to divulge information. Look at this YouTube video for why: http://www.youtube.com/watch?v=i8z7NC5sgik

Is it 1984, yet? I'm all for securing our borders, but it seems Homeland Security is busier validating their existence by persecuting working citizens than preventing crossings. I doubt the illegals are overconcerned about carrying their ThinkPad with them. Surely our border guards have better things to do than screen for pr0n.

Little Brother's FriendSeptember 15, 2008 6:06 PM

Okay...

I've some questions. I've worked at a big financial institution and I travel for a living.

I'm wondering what will happen when they ask me for my laptop and I have to report this to my company and the athorities... why?

Well, I know for a fact that the reason my company makes me encrypt my hard drive is that I have not only private data of my own, but I have private data of my company and its clients. I'm supposed to be safegaurding that information.

How do I explain handing over confidential information that could include social security numbers, names, addressess, account numbers, private network information, passwords, etc. to a government or agency that is not associated with the company?

And I'm not talking about my own (which is bad enough) but of hundreds of clients my company works with?

andreasSeptember 16, 2008 9:18 AM

of course all the tips & tricks discussed here for hiding your data could be employed by the exact same terrorists these rules are created for to protect you from...

PowerTravelerMay 24, 2009 6:36 PM

What i do is use an older Mac running OS 9. That will still read/write USB drives but gives you access to lots of quirky software. e.g. you can encrypt your files, then compress them, then turn into an OS 9 .img file, then re-encrypt., then make invisible. EVen if the border boys find your file(s), they'll never be able to do anything with them. Guaranteed.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..