Laptop, cellphone, iPod data - all fair game for copying at borders

[solarbird]

The Washington Post reported yesterday that US border agents are routinely searching laptop, cell phone, and other electronic-media data and making copies. At least one person who is part of a class-action lawsuit against this has had laptops taken and never returned. And no, US citizens are not in any way exempt.

The US government is trying to claim that this is the same as searching briefcases, except, of course, that the point of that traditionally was to look for contraband items such as firearms, bombs, and smuggled goods; reading and making photocopies of your business documents have not, for example, been part of that deal. But now, apparently, it is.

In response, several companies have now set up "blank laptop" travel programmes, so that people are carrying dataless laptops around, accessing the data they need later via the internet, preferring the risk of hacking to the risk of the border crossing. Some companies have created policies that cell phones, similarly, must be blanked before entering or leaving the United States.

The damage this does to the ability of companies operating in the US to do business should, of course, be taken as read.

Comments

[elfs.livejournal.com]

I learned a long time ago how to make plausible deniablity DVDs. Create about 10 GB of high-quality noise. Use it to make a 4.2GB block. Create three stripes within the block: one of the stuff you really want to protect, one of stuff you plausibly would want protected but would be willing to give up to a court order, and one of stuff you don't care about.

Create a stripe of high-quality noise. Encrypt the second stripe mentioned above, using the stripe of noise as the key, choosing a random length and offset inside the block. Now encrypt the whole key block with a strong passphrase.

Run them all together: public filesystem, first encrypted filesystem, encrypted keyblock, second encrypted filesystem. Burn that to the DVD.

It is obvious to any observer that there's an encrypted filesystem on the block. They get a court order and you cough up the password, which looks like it was generated by a bog-standard corporate "make a secure password" program. They find your porn collection, which you plausibly encrypted to keep the kids out of it. Or your financials from 1999. Or something else you would want to keep away from casual examination. Every good cryptography program creates a DVD-filling block of noise, so it's plausibly deniable that the rest of the random-seeming garbage on the disk is random garbage.

Even if anyone should guess that the rest of the DVD contains something incriminating, the filesystem block is protected from a known-content attack by a decent algorithm and the fact that the encryption key is, itself, high-quality noise. And the encryption key is protected from a brute-force attack because even if they wanted to try every possible passphrase (and you picked a good, long, complex one, right?), the output of the decrypting this block of noise is-- high quality noise! They will not be able to detect algorithmically when they've hit the right passphrase: they'll have to try every passphrase, with a length and offset, against the filesystem block. It is computationally impossible to attack this with today's technology before the stars go out. But there is no way, using today's technology, that they could prove that the noise is anything but noise.

You've satisfied the curiosity of the investigators-- yes, there's crypto'd data, but you gave them the password. The rest of the DVD? That's just random junk generated by the crypto software to prevent attacks.

Just something you might want to have on hand, someday.

Eep, oh arrgh!

[angharads-house.livejournal.com]

I'd heard various grumblings about this, and had gotten to the point of trying to avoid carrying any electronic equipment back and forth during short social trips -- usually one or the other of the various belovedests can provide e-mail access. But this is serious matter on longer trips, especially those where getting caught up on paperwork is one of the better sanity-maintainers during long plane flights.

Dawns on me that a 'blank laptop' business policy will only really work where one can be reasonably assured of being able to utterly scrub sensitive corporate or personal data off a machine before making those crossings. Also, there's the problem of widespread snooping into any data sent over the Net. I have never doubted that for any given corporate cryptosystem, there's already an established backdoor to it.

Good thing, in personal case, that neither I nor any of my clients have any business interests at all whatsoever Stateside; after the abandonment of the Appalachian properties I decided to not have anything more to do with American projects -- it just makes the tax matters ever so much simpler. (And truth be told, anything that cuts down on the number of long-distance air journeys within North America is just fine by me -- travel by air on this continent is no fun at all.)

[angharads-house.livejournal.com]

Good solution, in the fairly unlikely event that I ever would want to take on assignments down in Gilead again -- seems to me that for some of these issues, the best solution is just to avoid getting caught up in the paranoia. Easy for a foreign-based foreign national to say, because I can readily restrict my professional practice to the rest of the developed world. (Actually it's staggering how many of my Canadian colleagues have come to exactly that conclusion! -- even Russia and China are easier to deal with, these days).

[firni.livejournal.com]

I sent that link to P. Odds are, he and his buddies at work will blow a gasket. At least a few of them have started traveling to India on business. P only has to go to San Mateo, which makes me wonder if they'll start this crap on domestic flights just for the hell of it.

[grian-ruadh.livejournal.com]

Well, as I've said before, if something really remarkable doesn't happen this next election, me and mine are outta here. We're making plans to move to San Francisco and at the same time making back-up plans to become permanent ex-pats, most likely to the EU. Renewing passports and investigating visa applications with the British Consulate this week, actually. I live in hope that we will not have to activate Plan B because, really, relocating to another country is a pain in the ass, but if the US persists with heading down the road to implosion, we'd rather watch from a safe distance, and Canada is still too close to the impending blast radius for comfort.

[hattifattener]

There are Linux encrypted filesystems that do this (on a live disk, not a DVD); you can have multiple disk-images within images, and there isn't (supposed to be) a way to tell when you're looking at the innermost one.

[angharads-house.livejournal.com]

Believe me, as a Canadian who lives way too close to the southern border for comfort (and who knew how minimalist our defensive plans were: basically: "blow all the culverts on the freeways, retreat north out of artillery range and beg for armistice and UN reconstruction funding"), I am acutely aware of how southern chaos can spill over onto our side of the line.

Doesn't help matters that we have an avowedly-Dominionist Prime Minister who believes in the principle of the Unitary Executive, and now wants to force an election over whether or not Canada should "abandon our allies in the fight against terror".

Sigh.

Actually, with global warming and all, Nunavut's pretty nice. //^_^\\

Anyway, am glad that D. posted the link to that story; it's a good wake-up call, and I do have a little Linbox that I can take travelling (and sacrifice if some official goon wants to steal it from me) -- about all I would lose would be a draft of the second novel, and that doesn't even have any steamy sex scenes in it.

[hubbit.livejournal.com]

Just out of curiosity, how plausible would it be to get a minimalist notebook with a minimal HD and perhaps an abundance of RAM, and keep nothing on it except, say, Firefox? EDIT: Because email and even instant messaging can be done through web interfaces - not the most efficient way but the data are not retained.

Remote storage is cheap and plentiful; there are programs that will let a person edit documents, spreadsheets, etc, over a web interface; barring that, one could certainly install OpenOffice and just grab a doc, edit it, then reupload it.

In that way, even if a laptop is grabbed, the data are safe because you're using a client-server model.

Would it be a pain in the ass? Of course. But it's just for traveling purposes (and when traveling around the world with a laptop, who knows what could happen to a laptop and whatever data it contains...)

[llachglin.livejournal.com]

Wow. They're blocking the free flow of information, rather than goods or contraband. That's fucking insane.

[kissare.livejournal.com]

Every time you post, I lose my faith in humanity a little. But thank you for bringing this stuff to light.

[solarbird]

Wow, I wonder what that's like - having faith in humanity, I mean.

Muah ha ha! <rubs hands together menacingly>

[solarbird]

Just out of curiosity, how plausible would it be to get a minimalist notebook with a minimal HD and perhaps an abundance of RAM, and keep nothing on it except, say, Firefox?
Plausible? It'd be trivial. Perhaps I don't understand the question.

[solarbird]

Define "really remarkable"?

[grian-ruadh.livejournal.com]

"Really remarkable" as in we get a president willing to restore and abide by the Constitution.

[kensaro.livejournal.com]

Truecrypt does something similar, with whole file systems if you so want to.

[cow.livejournal.com]

I saw this earlier and agreed, and then I realized I should note for anyone else reading:

> They find your porn collection, which you plausibly encrypted to keep the kids out of it.

A lot of countries will seize porn at the border, so this isn't so good in this particular situation if your goal is to get the data across. (Financials from 1999 is a good idea. :D Especially fake financials.)

[backrubbear.livejournal.com]

I have a similar article from netsec@merit. Did you want a copy?

[brombear.livejournal.com]

I still LOVE this Icon!

[solarbird]

If it has additional data of interest, sure. If it's basically the same, that's fine, but thanks.

[hubbit.livejournal.com]

My question is this: Why would it not make sense to travel abroad with a stripped-down bare-bones laptop containing only the software needed to access one's email, documents, and other essentials remotely; edit one's documents and read one's email directly on the remote server; and return here to the land of the free with absolutely no data on the computer to copy in the first place?

Sort of a "travelling office". Just as one packs only the clothing necessary for a trip and not one's entire wardrobe, I would think it makes sense to store what is needed for computer usage on an out-of-country trip on a server (or series of servers), and work remotely. In my mind this would defeat the copying program since there is nothing to copy, and should the laptop be lost, the data will remain safe.

The usual caveats (encrypt your HD where feasible, never store passwords on the computer or in a program, make sure your Firefox or Opera clears the cache and does not store a history) apply.

The gist of my question is, is this an unreal expectation? Can people who normally keep their passwords written down on a sticky note affixed to their monitor be taught to think this way? :)

[avram]

Some companies are having their people do this already.