50 comments

[ 2.9 ms ] story [ 107 ms ] thread
The TSA has posted an official reply to this:

That's the Customs and Border Control's Job not ours. You can tell the difference because their uniform is NAVY blue and ours is more of a ROYAL blue. (I'm paraphrasing here but only barely. THEY ACTUALLY POINT OUT THE UNIFORM COLOR DIFF).

I wish/hope this was/is a joke:

http://www.tsa.gov/blog/2010/01/can-tsa-copy-your-laptop-har...

As much as I hate to agree with him ( http://reason.com/blog/2010/01/19/tsa-pays-blogger-to-mock-p... ), in this case "Blogger Bob" has a point. It was customs, and not DHS who actually searched the laptop.

The court case: http://fourthamendment.com/blog/index.php?blog=1&title=s...

Speaking as a fairly frequent traveler here...

In my mind, there are two sets of uniformed people at the airport. "Airline worker" (gate agent, skycap, pilots, etc) who are there to help me.... and "TSA" (Anyone with a badge, possibly a gun, and the ability to basically do whatever the hell they want) who are there to make life demeaning.

It doesn't matter to me that the dark blue person is Homeland Security, the pale blue person is Customs, and the in-between blue one is Immigration. They are all equally "the man" and equally capable putting me on the "fuck that guy" list.

Intellectually I understand that many of them perform a valuable service. Emotionally I fear (and by extension: hate) them and have grown to dread traveling.

CBP is a different sort of dickheadedness than TSA.

TSA: Undertrained goons hopped up on terrorism paranoia. Will make your life absolutely miserable if given the prompt to do so (e.g., a tiny contraband item in your carry-on). Can't do too much to make your life miserable outside of missing your flight.

CBP: Will. Fuck. You. Up. As a non-American working in the US, I fear the CBP like the motherfucking gestapo. Each agent wields an insane amount of power to alter one's legal status in the USA, and they never hesitate to express this power to you. Unlike the TSA agents, who get no respect from even their employer, CBP goons are given a huge amount of unquestionable leeway in their jobs.

I've seen TSA workers cite regulation after regulation to make a traveler's life hell - but they've always been professional at least on the surface. I've seen CBP agents be blatantly racist, insulting, and grossly unprofessional and conduct themselves in ways unbecoming of a human being, much less a government representative. And there's not a damn thing that can be done.

I used to drive from Seattle to Vancouver for the weekend a few times a year, in the eighties, back when terrorism was something that happened on page six.

Driving in to Canada, their border guards were always pleasant, smiling and welcoming. They made me feel like they wanted me to visit.

Driving back to the US, our border guards seemed to feel like I was a criminal. I felt unwelcome in my own country. I felt "wanted."

I actually had to sit on the Group W bench once. The guard asked me a question, and I didn't hear him correctly. So I said "what?" I was polite (knowing who I was talking to).

"Out of the car." And they searched my car. Because I said "what?"

I'm a US citizen, and my experience has been the opposite.

Of course, US Immigration/Customs is not nearly as nice as immigration in other countries, but that's to be expected. (When I visit Norway and Denmark, the immigration people actually smile at you. When I visited Germany, the immigration officer actually laughed at something I said. It's like they are real people or something!)

Why is that to be expected?
Because when something happens over and over and over again, you tend to expect it to keep happening.
Because the US takes immigration and police in general too seriously. Everyone is a criminal. Nobody is to be trusted.

Compare this to Europe (minus the UK and France), where people in positions of authority treat you nicely until they have a solid reason to do otherwise.

"Cultural difference" or whatever.

Presumably because you're a citizen, they can't actually refuse you entry because they missed their morning coffee. Those of us who work legally in the US, but aren't citizens, have a different experience. Sometimes I feel like reminding them, that I too pay for their salary.
I've seen CBP agents be blatantly racist, insulting, and grossly unprofessional

As with a sibling poster, I am also a US citizen. Hearing about this infuriates me, especially, perhaps, on the anniversary of the Christian White Boy's bombing of the OK City Murrah building. That was terrorism, plain and simple.

There's just no excuse for that behavior. I'm not sure what I can do about it personally, but if you have an idea I'd like to hear it.

Calling him Christian as an epithet doesn't add to your case.

You wouldn't do it if he were Muslim or Jewish.

How about just "criminally insane"?

It's exactly my point. When these "authorities" profile for terrorists, they are looking for middle eastern Muslims. The idea that they justify to themselves mistreating these people because of their ethnicity bothers me a lot. I point out that there are terrorist Christians, too.
Sure, 1 we know of at this kind of scale, perhaps there's another I'm forgetting.

Compared to how many hundreds of thousands (millions?) of Muslim terrorists who are out there right now?

I'm not trying to pick on Muslims (we know that about 90% of Muslims are not radicalized Wahhabis); just pointing out the reality of the situation.

reality of the situation

I submit that's your perception. I'm not going to go deeply into this (because it's not the forum for it) but I'll simply say that if we don't enforce rigorous mental discipline on ourselves then what we perceive as a terrorist act vs "civil" conflict can be clouded by how we feel about its outcome rather than whom (and how) it targets. By that I mean, for example, someone who kills abortion doctors may consider his act not one of terrorism, the killing of innocent civilians, but one of justice because he is killing a killer.

how many hundreds of thousands (millions?) of Muslim terrorists who are out there right now

Doubtful. The entire Al Qaeda organization was estimated to be 5000 strong just after 9/11. Now, I know that Bush's policies brought a lot more into the fold but I would be surprised if there were hundreds of thousands of actual terrorists. That would be like me saying that all right to lifers were on a par with the killers among them. There are even some who may think the killing is partially justified (that is, understandable) but who wouldn't actually go so far as to carry it out. (You can swap PETA for right-to-lifers if you like.)

Customs is part of DHS.
Touché. Well, at least I can go back to hating blogger bob again
Blogger Bob works for the TSA, which is a sibling of Customs. The common parent is the DHS.
I was more mortified at the tone in which this was posted. Something about it seemed far too carefree and nonchalant, as if the most important thing is quibbling over the subtle shade of blue in their uniforms. These being the people who complained so much people didn't take them seriously that they now get fake cop badges and uniforms.
You haven't read the TSA's blog much, I take it? It's all carefree and nonchalant. Nothing to see here, move along. The comment section can be entertaining, though.
This is why I travel with a netbook that has full-disk encryption. If the government wants my laptop, they can have it for as long as they want. $300, whatever. If they want to compel disclosure of the passphrase, though, that's not as easy. Then judges and the Constitution get involved.

What I've learned from reading cases (and watching Law & Order, heh) is that if the police have evidence against you, it's easier for them to get what they want from the courts. "We already saw the child porn, we just want to check for more."

If all they have is a disk they can't read, it's going to be hard to get any judge to compel you to produce the key, especially if they can't prove you have the key. (And, in the US anyway, there is some precedent that you can't be compelled to produce the key anyway.)

The government wants more power, but the people have the power to take it away. It's just a checkbox away in your favorite OS's installer. (Well, in Debian anyway.)

With talk of 20 year prison sentences for ordering manga from Japan or talking to people on Myspace, I think it's pretty insane to not encrypt your disks. Who knows what someone else will think is illegal? I would rather not find out.

No, dm_mapper/LUKS.

But actually, I do have a Windows 7 machine, and am TrueCrypt-ing that right now. (I had forgotten about that until you mentioned it, and BitLocker is $200 I don't want to pay.)

So far, seems pretty nice. You can never be 100% sure about encryption software, but since I haven't read about the government breaking any crypto implementations and sending anyone to prison, it is probably Good Enough.

I don't worry too much because I don't think I am doing anything illegal. But it's still nice to avoid people rummaging through your stuff.

Make sure you use an adequate password with that encryption. It amazes me how many people use, say, an 8-10 character password with just lower case (and maybe numbers).

:)

Good full-disk encryption systems use key strengthening, making even short passphrases reasonably secure. Testing one passphrase on my machine, for example, takes about 1 second of CPU time. 26^8 seconds is a long time (6,000 years).

The other alternative is to brute-force the entire keyspace, which puts you back in 2^128 (or 2^512) territory but with the option of trying billions of keys a second. A few Universe lifetimes, and my .emacs will be all yours.

Oh, but I use a long password anyway. The key, IMO, is to avoid using a password you have ever used for anything else. You might not have to testify against yourself, but your employer or mail provider will be happy to cough up your password for the authorities. So don't give it to them.

Well there are 2 advantages that lets you reduce that time dramatically.

First you can use a dictionary - then munch it (with Jack or something) to create a large dictionary within the keyspace. It's surprising how much that covers.

Then you can parallel the process; I know a few commercial companies (ourselves included) with a large computer capacity for these purposes. I'd be surprised if the govt. didn't have some form of similar access.

If you can reduce the search space by a factor of 1,000 and run your cracker on 1,000 machines it makes a dramatic difference.

OK, let's assume you can try 1 billion (10^9) keys per second. Now add numbers to your keyspace (remember, no special characters or capital letters yet!), and make your password 12 characters instead of 8. Not much harder for you.

But now it takes 150 years to brute-force the keyspace.

I doubt anyone is going to devote 150 years of computer time to someone going through customs.

No clearly not. Which is why I said "you'd be surprised how many people use an 8 to 10 char password sometimes with numbers". :-)
Your password strengthening won't help.

The forensics guys will clone your drive, then feed huge fuzzed dictionary attacks using the same algorithm until they find something that works, and they'll do it with machines a lot faster than your laptop.

They don't have to brute-force the keyspace. They only have to brute-force your password-space.

I doubt this. Do you have a link to a paper covering this technique, or a conviction that used this technique?
Well you have information about the person including his name, perhaps hobbies, passwords from Google, Yahoo or other sites, which will provide them if they are fed some "terrorist threat, brown alert" mumbo-jumbo. In rest NSA and Choicepoint and help you on that front.

Then you just start building a customized keyspace from that information. Include some common substitutions: letters for numbers, numbers for letters. If you have other passwords, look for general patterns. Some people use long passphrases, but they have a pattern or algorithm on how they build all their passphrases! There you just might need a human expert to take a look.

In the end, yes, it is very difficult but it is still a lot better than plain brute-force.

But yeah, I doubt Customs have the equipment or knowledge to do this. That is something that NSA would do. They would have access to the best tools. I can imagine there might be some kind of very constrained cooperation between them. "You send us a disk clone + personal info of the owner, and we'll try to send you back the cracked passphrase. You don't ask as questions how we got it, and you don't even mention that we got involved at all."

This works up until the point where it's decided that refusal to disclose your password, while not a criminal offense in any way, is grounds to prevent you from boarding your flight.
Customs is after you arrive, so whatever.

If I'm ever in this situation, I fully expect to be arrested (and released 23 hours later with no charges filed), though.

(Expect the worst and you won't be surprised.)

Customs is not after you arrive in all cases (Canada and the Caribbean have "pre-inspection" centers at most airports).
You should create your true root disk at a few levels down. If forced to reveal your password, then provide them only with the first level - maybe have it load windows 95.
I'm not that paranoid. The worst the government can do is hold me in contempt of court.
Actually I think the worst thing they can do to you involves detainment without trial and something to do with water+boards.
You read too many tabloids.
The law on this matter is, as I understand it-IANAL, that a password is a product of the mind and so it would be a violation of your fifth amendment rights to compel you to give up the password, as it would be "testimony against yourself." A password written on a piece of paper or a physical key would be a different matter. This doesn't mean they can't confiscate your laptop and/or image the hard drive to try and crack your encryption later though, it just means if you have encrypted files you can't be penalized for failing to disclose the password (probably).

This lecture from Defcon 17 may be relevant: https://media.defcon.org/dc-17/audio/DEFCON%2017%20Hacking%2...

From the article: [4th amendment] protections do not disappear merely because one happens to be at a real - or imaginary - border.

Ah, but they do. It's called the 'border search exception' and it has been consistently upheld by courts, based largely on the 5th act of Congress passed in 1789 which set up the US Customs Service. Not only are searches of laptops and storage devices considered reasonable in this context, but so is opening mail and just about anything short of a strip search.

This has been argued over on a variety of grounds quite recently but the courts have stood firm on it. So like it or not, it's better to avoid carrying any storage device containing data that might be construed as suspicious.

Indeed. Just send it via the Internet, where packets are not opened and inspected before entering the country.

Sometimes I think that government policies are implemented only to make people feel powerful. We can search your laptop!

OK, but I can just send the data to my home computer via the Internet, and just carry my wiped laptop across the border.

But they haven't broken AES or the key exchange protocols. Nobody sends important data across the Internet unencrypted.
DJB had some interesting thoughts on AES and its vulnerability to timing based attacks, here: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

While network latencies would definitely make this type of attack more challenging to implement, AES is not invincible.

And that's just the stuff we hear about :)

If you're sending encrypted files across the internet, the government doesn't get to see how long it took to encrypt the data. And if you're running an open "encrypt anything my secret key" oracle, well, you get what you deserve.
Indeed. This sort of attack is good for breaking DRM, but not so good for any legitimate uses of cryptography.
It's worth nothing that CBP cannot compel you to give them your password(s), and can't really refuse entry to a US citizen, so as long as you encrypt everything your laptop should be secure. They can of course confiscate the machine to image it - and you may not get it back while it's still worth anything - but, what can you do.

The iPhone is trickier, mAdvLock is the only thing I know of that would most likely work even if it was confiscated.

Nobody disputes, or should dispute, the right of a sovereign nation to perform invasive searches at international borders. What is most serious and egregious in the DHS/CBP behavior is the slippery slope of trying to change the definition of an international border. The 4th amendment in no way protects you from a border search, but saying that 100 miles inside the country is an international border is ludicrous.