[Politech] Customs-proofing your laptop: Staying safe at border searches [priv] (fwd from declan at well.com)

Wed May 4 05:44:21 PDT 2005

I checked out those links...hilarious! Check this out (remember, this gal is 
running for Senator of Alabama!):

>On the way to the hotel my cab driver, having heard the conversation
>with the Border Guard, expressed an interest in learning more about my
>work. So I filled him in as much as I could in the few minutes we had
>left. When we arrived at the hotel I had expected to meet my ride who
>had the cab fare, pay the cabbie and embark on my weekend adventure.

She hadn't even brought cab fare, and was expecting another pot head to show 
up with it!!!

>However, my ride got a little lost and hadnt made it to our designated
>meeting point yet. I called the cell number I was given but got voicemail.
>I didnt have my credit card on me so I couldnt pay the cabbie.
>He decides that he will wait with me for a little bit and we continue
>our conversation about pot and drug policy.

She went to a foriegn country without cab fare or a credit card! And now the 
guy with the money (another pot-smoker) is late, and she's suprised!!!

I'm starting to wonder if this is a hoax.

It IS funny, though.

-TD

>From: Eugen Leitl <eugen at leitl.org>
>To: cypherpunks at al-qaeda.net
>Subject: [Politech] Customs-proofing your laptop: Staying safe at border  
>searches [priv] (fwd from declan at well.com)
>Date: Wed, 4 May 2005 10:58:22 +0200
>
>----- Forwarded message from Declan McCullagh <declan at well.com> -----
>
>From: Declan McCullagh <declan at well.com>
>Date: Tue, 03 May 2005 22:42:03 -0700
>To: politech at politechbot.com
>Subject: [Politech] Customs-proofing your laptop: Staying safe at border
>	searches [priv]
>User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206)
>
>Detecting whether the Feds or any government adversary has placed
>spyware on your computer when "examining" it at a border checkpoint is
>not entirely trivial. It is, however, important for your privacy and
>peace of mind -- especially because computer and PDA searches will
>likely become more popular in time.
>
>Here are some basic suggestions:
>http://www.politechbot.com/2005/04/21/update-on-alabama/
>
>A more advanced one would be to perform a checksum of all the files on
>the hard drive before-and-after through something like this:
>
>% for i in `find / -print`; do md5 $i >> /tmp/new; done ; diff /tmp/new
>/tmp/old
>
>The problem is that even your "diff" utility could be modified so you'd
>need to use a known-good copy from archival media.
>
>Can anyone recommend a checksum'ing utility for Windows and OS X? It
>would be nicer than a command-line interface.
>
>Note, by the way, that Rep. Bono's "anti-spyware" bill exempts police:
>http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.00029:
>
>-Declan
>
>---
>
>Declan,
>
>In response to the Alabama activist who was hassled at the border returning
>from Canada, here is some insight.  However, I ask that you PLEASE WITHHOLD
>MY NAME; I know some people who do computer forensics for FBI and I would
>not want them to know it was me writing this....  Thanks.
>
>Feel free to use any of the below in the blog or in the listserv.
>
>
>+ + + + + + + + + + + + + + + + + + + + + + + +
>
>Loretta's experience w/ US Customs is chilling.  The fifteen minutes her
>notebook computer was out of view and in government custody is plenty of
>time for an agent to image the drive.  Imaging, as you know, is the
>end-to-end bit-level copying of the drive.  When properly done, imaging
>bypasses all OS controls, such as file permissions in Linux, BSD, and OS/X,
>and user ownership in Windows.
>
>A drive image affords an analyst plenty of time to examine the drive
>contents without the owner's awareness.  The image can be mounted onto a
>device where other programs can reconstruct or reinterpret file systems
>structures of NTFS, ext, FAT, and so on.  An analyst mounting an image as
>root or Administrator can see anything.
>
>Do not assume a BIOS password will protect you.  The drive can be
>physically removed from a laptop in under a minute.
>
>If the file data is encrypted, a forensic analyst will need to use a
>password cracker to decode the data.  This will slow them down, and in all
>but the most pressing cases, will prompt them to move on.  However, a
>careless individual may leave their PGP (or similar) key on their drive in
>a text file or in slack or deleted space, giving the agent something to
>work with.
>
>Though encryption is a pain for the user to deal with, this is probably the
>best level of protection.  Encryption raises your reasonable level of
>expectation of privacy.
>
>Legal issues raised by this incident potentially include illegal search and
>seizure.  Even US Customs still needs a search warrant for your computer,
>and the warrant must state specifically what they are looking for.  They
>cannot fish.
>
>If an image was taken of Loretta Nall's drive, there will be a chain of
>custody document for this supposed evidence.  Her lawyer can advise as to
>how to file a motion for it.  There might also be an incident report, which
>would describe the actions of the agents.
>
>None of the information stolen from Loretta's drive can be used directly in
>a court proceeding.  Unfortunately, it probably could be used to confirm
>other intelligence.
>
>There is no device I know of that will allow you to determine if your drive
>has been scanned or imaged.  Computer forensics is extremely careful not to
>taint evidence by writing to the drive.
>
>I'd like to see one of those warranty foil labels that fall apart when you
>tamper with them.  There must be source for them.  Place a label across the
>edges of the drive bay.  That way, if the drive is removed, you can at
>least see that it was opened.
>
>The point about government installing bots is well-taken.  You may be able
>to md5sum your drive before and after customs, but this capability is
>beyond 99%+ of users.
>
>If possible, do NOT carry a notebook across the border with you if you can
>avoid it.  Junior G-Men maybe too tempted to prove their mettle with the
>boss when they see one.  For data, pen drives and CD's can be comingled
>with other personal possessions, where they might attract less attention.
>
>Pen drives may be reformatted at will, removing the risk exposure that
>might come with a notebook's Internet cache, slack space, cookie list,
>website history, and so on.
>
>If you MUST take your computer, FLUSH ALL INTERNET CACHE, web site
>histories, search histories, cookies, temp files, recycyle bins, etc.  Make
>your own disk image before you go.
>
>Always ask Customs what they are doing, and ask as politely as
>possible.  Object if they remove something from your sight - again, as
>politely as possible.  Do not get "legal" on them, but do say "I don't
>understand."  At least that way they cannot claim you have tacitly waived
>your rights.
>
>-N. G. Zax
>
>
>
>_______________________________________________
>Politech mailing list
>Archived at http://www.politechbot.com/
>Moderated by Declan McCullagh (http://www.mccullagh.org/)
>
>----- End forwarded message -----
>--
>Eugen* Leitl <a href="http://leitl.org">leitl</a>
>______________________________________________________________
>ICBM: 48.07078, 11.61144            http://www.leitl.org
>8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>http://moleculardevices.org         http://nanomachines.net
>
>[demime 1.01d removed an attachment of type application/pgp-signature which 
>had a name of signature.asc]