

Another Hacker’s Laptop, Cell Phones Searched at Border - philipn
http://www.wired.com/threatlevel/2010/11/hacker-border-search/

======
jwr
I find it amazing that there is so little outrage at what is happening in the
USA.

The country that paints itself as an example of freedom and democracy and
aspires to spreading those values around the world is the same country that:

* kidnaps and tortures people,

* sets up a military prison with no civillian oversight, outside any legal jurisdiction, where it keeps people indefinitely,

* kills people in various countries using missiles launched from drones,

* interrogates its citizens as they come back from abroad, threatening them with detention or not letting them into the country,

* tightly controls the media and what information gets released from war zones,

* has a lawless "zone" extending 100 miles from its border, where laws are unclear, and people can be searched without warrant,

* seizes computers, accesses and copies data, threatens people so that they give up their passwords,

* uses scare tactics on security researchers (see story above) and whistleblowers (see all the wikileaks stories)

I come from a former-communist country that was under the Soviet influence. We
fortunately no longer are. I think what I listed above is very visible to
people like me, but somehow it goes under the radar of most Americans. I see
it as classical secret police tactics, utilized in all totalitarian regimes,
while Americans seem to see it as a necessary nuisance to "combat terrorism".

I find it even more amazing that instead of fighting back, people just discuss
workarounds. Ship your data via FedEx, keep it online, wipe your drives, carry
a laptop with an empty drive… This works today, but the way things are
developing, it might not work tomorrow!

Wake up, people. In comparison to things I listed above the whole ridiculous
story about the "naked scanners" is just a joke.

~~~
RyanMcGreal
What amazes me is that the great swath of Obama supporters who decried the
Bush administration's civil rights abuses are strangely quiet about the
continuation of those abuses today. (Caveat: I'm not American, but if I was, I
would have held my nose and voted for Obama in 2008.)

~~~
jwr
But look at the greater problem: Obama or not, people don't actually _do_
anything. Sure, there will be some forum discussions, but that's pretty much
it. The EFF and ACLU seem to be the only organized movements that actually try
to do anything. In the political landscape these issues just do not appear.

~~~
RyanMcGreal
You're right. Most people assume their democratic duty amounts to showing up
and voting once every two or four years - though almost half of eligible
Americans don't even do that much - and that voting for the best candidate is
enough to effect change.

Community organizer Saul Alinsky famously had a meeting with US President
Franklin Delano Roosevelt, who had just been elected in the deepest trough of
the Great Depression. Alinsky spoke about the President's role in creating a
more fair and prosperous society.

At the end of the meeting, FDR told Alinsky: "Okay, you've convinced me. Now
go out and put pressure on me!"

------
jdietrich
It could be worse. Here in the UK, they would have locked him up for refusing
to hand over his passwords. The Regulation of Investigatory Powers Act makes
it a specific criminal offence and people have been imprisoned for it.
Personally, I'm worried that I might get locked up for refusing to decrypt the
contents of /dev/urandom. I think we need to wake up to the fact that there
are a lot of people in power who would prefer that strong cryptography be the
exclusive preserve of government.

~~~
mbreese
You know, if you ever wanted to keep something _really_ hidden, naming it
/dev/urandom (or some variant thereof) would be a good way to go.

~~~
weavejester
Or perhaps "one-time-pad.txt" :)

~~~
alextgordon
You could actually encrypt your data using a standard algorithm, then
construct a "pad" such that they combine to make a seemingly benign plaintext.
No way to prove that your ciphertext is anything other than the other half of
the pad (though I'm not a cryptographer :) ).

------
snissn
slightly relevant:

To protect his privacy and that of his clients, Mitnick encrypts all the
confidential data on his laptops, transmits it over the Internet for storage
on servers in the U.S., and wipes it from the computer before returning from
any international trips, just in case officials decide to search or seize his
equipment. He also encrypts his hard drive. And now, he says he is going to
keep a "clone" of his MacBook at home so he will have an exact duplicate of it
if it is ever seized.

<http://news.cnet.com/8301-1009_3-10054569-83.html>

~~~
sev
Why would he tell people where he keeps the clone?

~~~
davidwparker
To make people think he's keeping it there but he really isn't? A bluff?

~~~
RyanMcGreal
I thought analysts took a dim view of security by obscurity.

~~~
ams6110
I think the dim view is on using obscurity as your only or main security
approach. However leading attackers down blind alleys, in addition to having
real security measures in place, doesn't seem to me to be entirely worthless
(IANA Security Analyst).

------
blhack
Interestingly, I just had a discussion with my roomate about this. We were
sitting in a coffee shop, and he was mad at himself because he forgot the
latest copy of a game he is working on at the house...

Why is this a problem _at all_ anymore? Hosting is _cheaap_. I have a linux
VPS at linode that I pay $20/mo for and almost everything that i do is stored
there. Honestly, the only things I can think of that _aren't_ stored on that
machine (which trades nightly rsyncs with another machine with a different
provider and on a different network) are minecraft, my music collection, some
photos, and a journal that I just started keeping a couple of weeks ago (gets
encrypted with 256bit AES and lives in the home dir on my laptop).

My point is that there is absolutely no reason to keep anything on your local
machine anymore, at least not ones that I can think of. Why not keep a server
in the basement, and then just run SSH with X11 forwarding? Keep a cheap,
disposable machine with you and if something like this happens, sell it and
buy a new one.

It's really sad that this is even an issue, but I do think that there are
solutions to it.

~~~
gst
Not a good idea if you know that you're targeted by the government. ;) In fact
this makes it much easier for them to get access to your data.

If they know your name they can get to your credit card transactions. From
you're credit card transactions they get to your hoster. And from your hoster
they get the data that's stored on your VPS.

You can somehow mitigate this issue by storing your important data on an
encrypted filesystem, but this does not really solve this problem as the key
has still to be kept in memory.

~~~
blhack
I'm not saying do it via VPS, I'm saying keep a server in your houe.

_I_ do it over VPS because, as far as I know, nobody is after me :-P

------
mmaunder
Border search exception (to the 4th amendment warrant requirement):

<http://en.wikipedia.org/wiki/Border_search_exception>

In a similar vein, check out Exigent Circumstance:

<http://en.wikipedia.org/wiki/Exigent_circumstances>

The text of the fourth amendment to the constitution:

"The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated,
and no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized."

~~~
nubian
The government has decided that the "border" extends 100 miles inland from
official land/sea borders. This apparently covers 2/3rds to 4/5ths of the U.S.
population.

Coverage on the 100-mile-thick ACLU-dubbed "Constitution-Free Zone":

Wired: <http://www.wired.com/threatlevel/2008/10/aclu-assails-10/>

Ars Technica: [http://arstechnica.com/security/news/2008/10/aclu-23-of-
us-p...](http://arstechnica.com/security/news/2008/10/aclu-23-of-us-
population-lives-in-constitution-free-zone.ars)

(Note the entire land area of the Hawaiian islands are covered, as is the
entire state of Florida.)

I think it's probably even worse than that, though, because International
airports count as "borders" no matter how far inland. So I would not be
surprised to see this extended to a 100-mile radius of all international
airports as well, which would cover almost everybody.

~~~
_delirium
I remember being pretty surprised by this when I was a kid, and we had to stop
at a checkpoint on I-10 in West Texas, where it turns away from the Mexican
border (eastbound) to head into central Texas. I recall thinking that it must
be some sort of emergency, like they were looking for an escaped criminal or
something, because surely those kinds of checkpoints aren't allowed in a free
country in routine circumstances?

------
pavel_lishin
If I were him, I'd be tempted to make an image of his drive, and compare that
to an image made after the agents tampered with it, to see what changes
occurred in the process.

But like he said, he couldn't even trust them physically. I'd be tempted to
just toss them in the trash, if I could afford to easily replace them.

~~~
mbreese
I'd just start FedEx'ing things and just take a book... Perhaps travel with
just a SIM card and pickup a new phone when I landed.

That's about the only thing you could really start to do.

~~~
eli
I've heard that this is SOP for international lawyers. They don't want some
border agent sniffing around confidential legal files.

~~~
bhousel
Yes, you heard correctly. I remember a talk at a past LegalTech conference
where the panelists urged anyone doing a lot of traveling (especially to
'sensitive' parts of the world) to simply travel with a 'spare' laptop, and
keep everything important on encrypted USB drives, which can be sent through
the mail in tamper-resistant packaging. It solves several problems:

1\. Confidential data won't be compromised during a border search, theft,
accident, etc..

2\. You avoid the issue of being forced to give up your passwords to law
enforcement.

3\. If the laptop is confiscated, it can take months to get it back, so you
wouldn't want that to happen to your main work machine.

------
dalore
> “I can’t trust any of these devices now,” says Marlinspike, who asked that
> Threat Level not report his real name. “They could have modified the
> hardware or installed new keyboard firmware.”

I thought when you get searched they have to keep your possessions within your
view at all times.

~~~
Zak
I believe that's generally true for the TSA, but not customs.

------
Super74
Let me get this straight. This is a person who has openly admitted to knowing
how to hack banking systems among others, then travels to countries like Abu
Dhabi and the Dominican Republic to present that information.

We are surprised that he is searched at the border to the US? He was treated
politely, not physically harmed and had his hardware returned. Sounds like the
government is finally doing their job.

Maybe there are "certain" people out there throwing his name around and the
government was obligated to look into this.

I would not support gross negligence by our government and this sounds like
normal procedure to me, given the extenuating circumstances.

~~~
jdp23
i suspect that many people on HN have the skills to break into quite a few
computer systems, and travel to places that are hotbeds of computer crime such
as New York, SF, and of course internationally.

does that mean we should all be detained and have our computers ad phones
taken away and searched whenever we go within 100 miles of a border?

~~~
bhickey
You're right, this place is rife with technological supermen. Give me a
sawzall and an acetylene torch and I could 'hack' the Gibson.

------
jwu711
That's completely ridiculous. Makes me want to travel even less now ...

~~~
nubian
"The Fourth Amendment to the Constitution contains a border-related exception
to unreasonable search and seizure laws, permitting searches at border
checkpoints that wouldn't be permitted elsewhere. But federal statute 8 CFR
287.1 (a)(1-3) defines the border zone for enforcement purposes as
encompassing an area within 100 miles of the actual border, with the
possibility of extending it further under certain circumstances. This means
that the US Border Patrol could conceivably set up random checkpoints asking
travelers for a passport in places like Columbus, Ohio; Houston; or anywhere
in the state of Florida. And, in fact, it appears that it has been doing
exactly this."

[http://arstechnica.com/security/news/2008/10/aclu-23-of-
us-p...](http://arstechnica.com/security/news/2008/10/aclu-23-of-us-
population-lives-in-constitution-free-zone.ars)

~~~
wnoise
Well, it's not so much "contains" as "has had read into it".

------
cakeface
I wonder if the government is targeting this hacker for his involvement in
Whisper Systems, <http://www.whispersys.com/>. Their main products are easy to
use encryption software for calls and texts on android smartphones. From what
I can recall the gov really does not want ubiquitous encryption for voice
communication in the US. It totally breaks down the whole wiretapping
paradigm.

------
alanh
Things like this, along with laptop theft, are excellent reasons to encrypt
your home folder. This is pretty easy with built-in software on both Windows 7
& Mac OS X (and I’m sure common Linux distros).

One caveat is that encrypted home folders tend to take maybe 1.2× the space of
an unencrypted home folder, so delete some videos & music if you’re on an SSD
or otherwise constrained HDD.

------
husein10
A word of caution to those keeping data on 3rd party machines...

[http://www.schneier.com/blog/archives/2007/06/third_party_co...](http://www.schneier.com/blog/archives/2007/06/third_party_con.html)

Also, note that this article is from 2007 and the law may have changed
slightly since then.

------
ahi
Seems like they buried the lede. In the simple minds of the Feds he was
connected to the Wikileaks crew.

------
lusis
I was a bit surprised by the fact that he didn't want his name revealed in the
article. It's not like some people don't know who he is. [edit] decided to
respect Moxie's request in the article and remove a small bit of identifiable
info

~~~
_corbett
as he goes by Moxie socially as well, doesn't want his true name to be
revealed is a bit sensational

~~~
lusis
True. I guess unless he's legally changed his name the feds and anyone who's
cut him a check obviously already knows who he is.

------
Mithrandir
<http://www.googlesharing.net/>

Moxie's awesome addon/proxy.

------
ck2
If it took them "a few hours" then essentially they cloned the hard drive,
sector based.

