RE: [Politech] Customs-proofing your laptop: Staying safe at border searches [priv] (fwd from declan@well.com)

I checked out those links...hilarious! Check this out (remember, this gal is running for Senator of Alabama!):

On the way to the hotel my cab driver, having heard the conversation with the Border Guard, expressed an interest in learning more about my work. So I filled him in as much as I could in the few minutes we had left. When we arrived at the hotel I had expected to meet my ride who had the cab fare, pay the cabbie and embark on my weekend adventure.

She hadn't even brought cab fare, and was expecting another pot head to show up with it!!!

However, my ride got a little lost and hadnt made it to our designated meeting point yet. I called the cell number I was given but got voicemail. I didnt have my credit card on me so I couldnt pay the cabbie. He decides that he will wait with me for a little bit and we continue our conversation about pot and drug policy.

She went to a foriegn country without cab fare or a credit card! And now the guy with the money (another pot-smoker) is late, and she's suprised!!! I'm starting to wonder if this is a hoax. It IS funny, though. -TD

From: Eugen Leitl To: cypherpunks@al-qaeda.net Subject: [Politech] Customs-proofing your laptop: Staying safe at border searches [priv] (fwd from declan@well.com) Date: Wed, 4 May 2005 10:58:22 +0200

----- Forwarded message from Declan McCullagh -----

From: Declan McCullagh Date: Tue, 03 May 2005 22:42:03 -0700 To: politech@politechbot.com Subject: [Politech] Customs-proofing your laptop: Staying safe at border searches [priv] User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206)

Detecting whether the Feds or any government adversary has placed spyware on your computer when "examining" it at a border checkpoint is not entirely trivial. It is, however, important for your privacy and peace of mind -- especially because computer and PDA searches will likely become more popular in time.

Here are some basic suggestions: http://www.politechbot.com/2005/04/21/update-on-alabama/

A more advanced one would be to perform a checksum of all the files on the hard drive before-and-after through something like this:

% for i in `find / -print`; do md5 $i >> /tmp/new; done ; diff /tmp/new /tmp/old

The problem is that even your "diff" utility could be modified so you'd need to use a known-good copy from archival media.

Can anyone recommend a checksum'ing utility for Windows and OS X? It would be nicer than a command-line interface.

Note, by the way, that Rep. Bono's "anti-spyware" bill exempts police: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.00029:

-Declan

---

Declan,

In response to the Alabama activist who was hassled at the border returning from Canada, here is some insight. However, I ask that you PLEASE WITHHOLD MY NAME; I know some people who do computer forensics for FBI and I would not want them to know it was me writing this.... Thanks.

Feel free to use any of the below in the blog or in the listserv.

+ + + + + + + + + + + + + + + + + + + + + + + +

Loretta's experience w/ US Customs is chilling. The fifteen minutes her notebook computer was out of view and in government custody is plenty of time for an agent to image the drive. Imaging, as you know, is the end-to-end bit-level copying of the drive. When properly done, imaging bypasses all OS controls, such as file permissions in Linux, BSD, and OS/X, and user ownership in Windows.

A drive image affords an analyst plenty of time to examine the drive contents without the owner's awareness. The image can be mounted onto a device where other programs can reconstruct or reinterpret file systems structures of NTFS, ext, FAT, and so on. An analyst mounting an image as root or Administrator can see anything.

Do not assume a BIOS password will protect you. The drive can be physically removed from a laptop in under a minute.

If the file data is encrypted, a forensic analyst will need to use a password cracker to decode the data. This will slow them down, and in all but the most pressing cases, will prompt them to move on. However, a careless individual may leave their PGP (or similar) key on their drive in a text file or in slack or deleted space, giving the agent something to work with.

Though encryption is a pain for the user to deal with, this is probably the best level of protection. Encryption raises your reasonable level of expectation of privacy.

Legal issues raised by this incident potentially include illegal search and seizure. Even US Customs still needs a search warrant for your computer, and the warrant must state specifically what they are looking for. They cannot fish.

If an image was taken of Loretta Nall's drive, there will be a chain of custody document for this supposed evidence. Her lawyer can advise as to how to file a motion for it. There might also be an incident report, which would describe the actions of the agents.

None of the information stolen from Loretta's drive can be used directly in a court proceeding. Unfortunately, it probably could be used to confirm other intelligence.

There is no device I know of that will allow you to determine if your drive has been scanned or imaged. Computer forensics is extremely careful not to taint evidence by writing to the drive.

I'd like to see one of those warranty foil labels that fall apart when you tamper with them. There must be source for them. Place a label across the edges of the drive bay. That way, if the drive is removed, you can at least see that it was opened.

The point about government installing bots is well-taken. You may be able to md5sum your drive before and after customs, but this capability is beyond 99%+ of users.

If possible, do NOT carry a notebook across the border with you if you can avoid it. Junior G-Men maybe too tempted to prove their mettle with the boss when they see one. For data, pen drives and CD's can be comingled with other personal possessions, where they might attract less attention.

Pen drives may be reformatted at will, removing the risk exposure that might come with a notebook's Internet cache, slack space, cookie list, website history, and so on.

If you MUST take your computer, FLUSH ALL INTERNET CACHE, web site histories, search histories, cookies, temp files, recycyle bins, etc. Make your own disk image before you go.

Always ask Customs what they are doing, and ask as politely as possible. Object if they remove something from your sight - again, as politely as possible. Do not get "legal" on them, but do say "I don't understand." At least that way they cannot claim you have tacitly waived your rights.

-N. G. Zax

_______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)

----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]