
Two-Factor Authentication and the Police State - edent
http://shkspr.mobi/blog/2013/08/two-factor-authentication-and-the-police-state/
======
DanBC
A few people are making a similar mistake. They are saying that RIPA forces
you to hand over the keys to allow people to decrypt your content.

That's only partially accurate. RIPA also allows 'them' to demand that you
make the plain text content available.

Not having the keys doesn't help you if you have had the keys, or 'they' think
that you can get the keys. Thus, the wikileaks files are safe for me because
there's no reasonable expectation that I can get access to the plaintext
content. But if I have a bunch of encrypted files on my computer and
encryption software and etc they are going to claim that I have access to the
plain text data.

([http://www.legislation.gov.uk/ukpga/2000/23/contents](http://www.legislation.gov.uk/ukpga/2000/23/contents))

Note that while the law talks about keys it also talks about "intelligible
content" \-
([http://www.legislation.gov.uk/ukpga/2000/23/contents](http://www.legislation.gov.uk/ukpga/2000/23/contents))

> _that it is not reasonably practicable for the person with the appropriate
> permission to obtain possession of the protected information in an
> intelligible form without the giving of a notice under this section,_

See also
([http://wiki.openrightsgroup.org/wiki/Regulation_of_Investiga...](http://wiki.openrightsgroup.org/wiki/Regulation_of_Investigatory_Powers_Act_2000/Part_III))

------
lignuist
If you are not allowed to talk to your lawyer, then maybe your lawyer should
be the one who has the password.

~~~
fluidcruft
This could be easily combined with joshuaellinger's suggestion for a "travel
mode". Flip a switch before you leave (analogous to "airplane mode") and then
2FA codes must come from a third party (your lawyer). When you arrive, contact
the third party (your lawyer) and re-enable access using your own 2FA.

~~~
tricolon
Sadly, I'm pretty sure a lawyer can be compelled to divulge passwords and
tokens.

~~~
a3n
I think the point here is not that the lawyer could refuse the 2FA token if he
detects duress. You have to give up the login credentials if you're able. The
point is that you're now able to inform your lawyer that you're in detention.

You can work out a protocol with your 3rd party (e.g. lawyer) ahead of time
that requires you to state where you are, and there's all sorts of coding
available to you for that. He'll give up the token regardless, but might be
able to start action on your behalf if he detects that you're not where you
should be.

------
jtheory
Going after 2-factor auth as the _simple_ way to manage this ("I can't get
access, personally") seems wrong to me.

The second factor is something you have. You'll normally travel with the
"thing you have", and since many sites implement 2-factor differently, you'd
have to change the setup for _all_ of those sites before you travel.

Instead, what about not knowing the password?

This is pretty easy to do, and it's _also_ good personal security generally.

Use a password manager (like KeePass or LastPass), and set all passwords to
unique random strings of 16 characters or so. If the password manager enters
the passwords into websites for you, you'll never type them (and thus never
memorize them).

Then you just need a way to not know the keyphrase that unlocks your password
manager datastore... that's easier to change quickly before you travel (or let
your partner manage this, or use 2-factor on LastPass, etc. -- it's an easier
problem, because it's just one thing).

------
buro9
Use YubiKeys (something you have).

Use TrueCrypt volumes on USB sticks (encrypted data). Put puppet scripts on
there to bootstrap your system.

Ship both separately and confirm receipt of YubiKey before shipping the USB
stick.

Travel with unencrypted, freshly imaged hardware with no sensitive data
(perhaps run an OS from a read-only file system).

Arrive, insert USB stick and YubiKey... now enter password (something you
know)... and bootstrap your system to use it.

This is all a big pain in the arse, but leaves you travelling with nothing
likely to get you into trouble.

~~~
aspensmonster
From what I can tell, if they've targeted you, they're going to take your
stuff. Doesn't matter if the drives look like noise or are nothing but zeros.
The point is primarily to be a thorn in your side and to drain you of money.
Any intel gleaned is just icing on the cake.

~~~
buro9
Actually, in the scenario I outlined you don't need to take a laptop anywhere.

Just ship the data and use a commodity device at the other end.

~~~
Spearchucker
This, I think, is where it's at. I reset my phone and delete my TrueCrypt
volume every time I cross a border. On the other side I just download the TC
volume, download my app[1] onto my phone, and re-sync my data.

[1] This a DB I wrote myself, is sideloaded (i.e. isn't in an app store), and
syncs data between my phone, laptop and desktop.

~~~
grecy
If they're watching you already, they are going to know about this DB full of
good stuff you have, and they're going to demand you give them access to it,
in the same way they can demand you give them keys and unencrypted data.

------
viraptor
This got me thinking about the equipment I fly with from the UK. It seems that
the only good way to protect your equipment while travelling is to actually
not know your password at the time. This may be even implemented fairly simply
- unless you're addicted to checking your email every minute, you can
reasonably protect every sensitive drive / account with a new password before
leaving, arrange for the password to be physically available at the
destination and turn everything off before departure.

I really don't have any idea what the response to that would be. But I'd
rather have my laptop with full disk encryption taken away than to give access
to emails. (and in practice to all other services via password resets)

For phones without a full disk encryption, you can reasonably easily back
everything up, leave a copy online and restore on arrival, so that's not a big
deal either. You can still use it as a phone in the meantime, just make sure
it's completely wiped and has no connected accounts.

------
joshuaellinger
Imagine a police state aware 'travel mode' that does the following: 1\. Locks
all your devices at the start of travel. 2\. To log into your laptop, you need
a code from your phone. 3\. If your phone received a login request, it would
record your location and ambient conversation to a destination of your choice.
Put in a little delay between recieving the code and displaying it. 4\. When
you login with this code, you go into a low-privilege user account and/or
locks you out of anything sensitive. 5\. To unlock, you request another code
from your phone. It only works if you are either at home.

You could carve out some exceptions for things you need while traveling that
the bad guys who think they are good guys would already know.

~~~
pdubbs
You could also have a trusted person set your device passcodes and/or receive
your 2fa codes and instruct them to not answer calls/reply to messages until
you are at your destination.

------
krakensden
Some work has already been done in this area:
[http://en.m.wikipedia.org/wiki/Rubberhose_(file_system)](http://en.m.wikipedia.org/wiki/Rubberhose_\(file_system\))

~~~
evacuationdrill
Non-mobile link:
[http://en.wikipedia.org/wiki/Rubberhose_(file_system)](http://en.wikipedia.org/wiki/Rubberhose_\(file_system\))

------
klon
How about a distress code password that you can give them which when used
triggers a self-destruct mechanism.

~~~
edent
Distress codes are an interesting idea. Although I'm sure that there are
probably laws around supplying false information and/or destruction of
evidence.

~~~
GotAnyMegadeth
Dangerous, but what if your destruction code was 1 character out of 20
different to your actual password, do you reckon you could claim the intruder
had fat fingers?

~~~
cdash
You could claim that no matter what, it wouldn't work though.

------
retube
What you need is a dummy account... login in to PC with the dummy password and
you see a different system.

~~~
viraptor
My system doesn't have much data I couldn't clone from github or copy again
from $some_picture_upload_service. GPG key is the only one that comes to mind
really. It's the password to online services that's critical.

------
etherael
I like this, skip the political bull and jump straight to subversion, bravo!

Idea for a new service; trusted tor homed token vendor (a la dpr or similar
bonded agency), takes advantage of the trusted third party model whlist
providing a jackboot-thug resistant party to verify the full transaction. For
bonus points add duress challenges which will fail authentication in a non
obvious way or provide fake but plausible data instead of the real thing.

~~~
fluidcruft
You could also use those two-of-three or three-of-four encryption schemes (I
only know about this partially--I've seen it mentioned as a way to safely
store bitcoin private keys so that no one individual can access the account--
only a quorum). Then it would take participation of two of three people (or
three of four, etc) that know you to restore access (allows for some of the
people you're relying on to be unreachable/dead).

That way the state doesn't have just one additional third-party target for
getting access, they have to go after a group of hopefully decentralized
people en masse.

------
exDM69
Two factor authentication is a good defense against many practical threats
_but_...

Wasn't Mr. Miranda's cell phone confiscated as well? That's what I understood
from the news reports, they took his laptop and his phone, and required his
passwords. So your regular Google/Facebook two factor authentication is
useless if you've lost your phone.

~~~
pyrocat
Did you read the article? It directly addresses that issue.

------
zeteo
Why not one-time use codes (e.g. [1]) instead of the phone? You can discreetly
destroy the list that you carry as long as you can only get a new list at your
destination.

[1]
[https://support.google.com/accounts/answer/1187538](https://support.google.com/accounts/answer/1187538)

~~~
edent
That rather assumes that you have a convenient, fast, and unobtrusive way of
destroying the list while being told "would you mind stepping over here, sir"
in an airport full of security cameras.

The alternative - and much more practical suggestion - is not to travel with
the codes. You run the risk of not being able to connect to the service - but
at least no-one else can.

~~~
zeteo
Rice paper doesn't taste too bad. How will they prove in court that my snack
had security codes on it?

~~~
delinka
Startup idea: Security Snacks - one-time pads printed on pairs of snack foods

~~~
petera
Sorry, couldn't decrypt messages, was hungry or keys got wet.

------
Qantourisc
Change all your passwords with insanely long random keys. Store these in a
place you cannot access without being present (for example bank) (encrypted so
the bank doesn't access it, and possibly, more then 1 copy).

Don't travel with anything you wish to loose. On return reclaim saved
passwords.

------
6d0debc071
I wonder how well security by obscurity - or at least partially by obscurity -
would work in this sort of situation. Do they know enough to ask for the
passwords to your randomly chosen sever? Do they know enough to do steg on
some random imgur photo, or on your forum avatar? Do they know enough to ask
for the passwords for something that's going to be sent to you via the
internet, on time-delay, _after_ you've left their custody - and which you'll
have plenty of time to send an abort code to, like say asking your computer
back in your country of origin for a different file than the backup, if the
password is compromised anyway?

------
TallGuyShort
I appreciate the people who are developing and evangelizing technology to
fight these problems, but in my opinion it's akin to putting a band-aid on a
gunshot wound. The problem is that the US government has repeatedly shown
itself to be acting without an acceptable level of honesty, transparency,
responsibility, or ethics. Until that changes, I don't think technology is
going to solve this problem.

~~~
grecy
I agree with you wholeheartedly, though to continue your analogy, the problem
of gun violence doesn't mean we should stop innovating band-aids.

------
meapix
Here is how you enable 2FA (assuming the service provider doesn't provide
these directly to the bad guys). SMS can fall to bad guys hands easily:

1\. Install OATH Toolkit. 2\. Encrypt Swap space using eCryptFS. 3\. Create a
TrueCrypt file system with your 2FA keys in it. 4\. Every time you need the
code, mount (3), run(1), umount(3)

Again, this assumes the service provider doesn't provide the access directly
to the bad guy.

~~~
edent
Perhaps I'm missing something, but what's to stop the security services
demanding you reveal the password to your TrueCrypt partition?

~~~
meapix
It depends how far you want to go with torture.

~~~
tpetry
Torture? They affair at the london airport has shown, that you do not need any
torture: You have to tell them your passwords or you get in trouble.

~~~
meapix
"You get in trouble" is what I meant. How much torture you can handle before
releasing the password for the truecrypt volume.

------
drill_sarge
Do such laws (you must give password) apply to you if you are just visiting a
country with such laws?

~~~
nness
IANAL, but I would definitely say so. There have been stories here on HN in
the past about people have to hand over laptops and passwords when crossing
the US border. A country's laws apply to its citizens and those visiting.

------
a3n
> Classic multi-authentication security is based around the idea of:

> Something you know (e.g. a password).

> Something you have (e.g. a smart card)

> Something you are (e.g. a fingerprint)

> rather than sending an SMS to his phone, it sent it to his partner's phone.
> Every time he wanted to log in to Facebook, he would have to ring his
> partner and ask for the one-time code.

New CloudSystems' _Four Factor Authentication_. The first factor stops your
spouse. Then the second factor stops your boss. The third factor stops a
random crackhead after he grabs your laptop out of your car. And finally, the
_fourth_ factor stops the NSA and GCHQ for up to nine hours.

Four Factor Authentication: Because -- You'll believe anything.

(Based on SNL's Triple Trac Razor parody.
[https://en.wikipedia.org/wiki/List_of_Saturday_Night_Live_co...](https://en.wikipedia.org/wiki/List_of_Saturday_Night_Live_commercial_parodies#T)
)

------
chayesfss
2fa keeps hackers out, encryption keeps the state out

~~~
tpetry
and you don't think they have enough time in those 9 hours asking you for your
truecrypt password? Remember: You have to give them your password!

The only way is encrypting your disk and not knowing the password. Sounds
impractically, and it is. But maybe your phone could use geofencing to look
whether you reached your destination and then display the password on the lock
screen? But you should hope nobody steals your notebook and phone and travels
to this location xD

~~~
fluidcruft
Perhaps rather than a simple geo-fence, you have to physically trace an unlock
pattern (visit a pre-determined set of locations in a specific order).

The only problem is that if you KNOW how to unlock the devices, you're
required to unlock them. So really, you have to NOT know how to do the unlock
(geo-fencing doesn't help--you'd be expected to tell them about the fence and
how to pass).

The point of the third-party 2FA is that you can tell them exactly what has to
be done.

~~~
spiritplumber
The real problem here is that one of the players has the ability to alter the
rules of the game as the game proceeds, to ensure a win.

The only winning move is not to play.

------
drill_sarge
One password unlocks your encrypted drives, another one destroys all data.
Authorities can look into your Google or Facebook anyway.

------
crocowhile
Truecrypt hidden volumes already solve the problem of password extortion,
although they are not easy to setup properly.

~~~
gcb0
Still not solving for:

1 clone drive

2 force you give password

3 if no sensitive data show up use $5 pipe wrench and go to step 2.

~~~
jafaku
If they are going to torture you just in case there is a hidden volume, they
might as well torture you just for fun.

