[Politech logo]

Politech is the oldest Internet resource devoted to politics and technology. Launched in 1994 by Declan McCullagh, the mailing list has chronicled the growing intersection of law, culture, technology, and politics. Since 2000, so has the Politech web site.

Technical privacy tips: More on customs-proofing your laptop and border safety

Previous Politech messages:
http://www.politechbot.com/2005/05/03/proofing-your-laptop/
http://www.politechbot.com/2005/04/21/update-on-alabama/

Also note PGP announced their "whole disk" solution (yes, including
encrypting your boot drive under XP) yesterday:
http://news.com.com/2061-10789_3-5698279.html

-Declan


-------- Original Message --------
Subject: Re: [Politech] Customs-proofing your laptop: Staying safe at
border searches [priv]
Date: Wed, 4 May 2005 14:35:25 -0700
From: Chris Palmer <chris@eff.org>
To: Declan McCullagh <declan@well.com>
References: <427860AB.1070204@well.com>

Declan McCullagh writes:

> Can anyone recommend a checksum'ing utility for Windows and OS X? It
> would be nicer than a command-line interface.

I hacked this up for the fun of it:

http://www.noncombatant.org/software/digest.py

Requires Python with the Tkinter GUI module, tested on Mac OS X, Linux,
and Windows. I can build standalone packages if anyone cares.

-- 
http://www.eff.org/about/staff/#chris_palmer



-------- Original Message --------
Subject: Re: [Politech] Customs-proofing your laptop: Staying safe at
border searches [priv]
Date: Wed, 4 May 2005 08:54:33 -0400
From: Peter Wayner <p3@wayner.org>
To: Declan McCullagh <declan@well.com>
References: <427860AB.1070204@well.com>

A good solution is to use CD-ROM-based OSes like Knoppix Linux. These
boot from readonly media and can't be infected by viruses, spyware, or
other glitches. (I often wonder why does Mac OS X need a tool for
fixing permissions on files? How do they get changed by mistake????)

A user's files can be stored in encrypted form on a USB drive. These
are also easy to image, but perhaps the encryption could protect the
information.

-Peter


-------- Original Message --------
Subject: Re: [Politech] Customs-proofing your laptop: Staying safe at
border searches [priv]
Date: Thu, 05 May 2005 14:34:42 +0900
From: Rod Van Meter <rdv@tera.ics.keio.ac.jp>
Reply-To: rdv@tera.ics.keio.ac.jp
To: Declan McCullagh <declan@well.com>
CC: politech@politechbot.com
References: <427860AB.1070204@well.com>

2005-05-03 22:42 -0700 に Declan McCullagh's anonymous correspondent
wrote:

> 
> Loretta's experience w/ US Customs is chilling.  The fifteen minutes her
> notebook computer was out of view and in government custody is plenty of
> time for an agent to image the drive.

Declan,

Let's keep the debate technically realistic.  No modern laptop disk
drive can be read end-to-end in fifteen minutes.  The Toshiba MK4004GAH
40GB drive in my laptop, for example, has a raw data rate of 125-253Mbps
depending on head position.  Multiply that by about 0.6 to account for
sector formatting, error correction, tracking signals,
track/head/platter switch times, etc., and you get a maximum user data
rate of under 20 megabytes/sec, an average rate of more like 15MB/sec.
So, reading the whole thing takes somewhere between 2,000 seconds and
twice that -- close to an hour.  And this problem gets worse as drive
technology advances -- track pitch and total tracks on a drive are
growing faster than the RPM rate.

Install spyware in fifteen minutes?  Probably.  Take a quick peek at
your home directory, if the laptop boots/wakes up in the general area?
Yes.  Copy a few parts of it?  Yes.

But remove the drive from the laptop (which takes more than sixty
seconds on many laptops), image it, and reinstall the drive, all in
fifteen minutes?  No.

		--Rod




-------- Original Message --------
Subject: Re: [Politech] Customs-proofing your laptop: Staying safe at
border searches [priv]
Date: Wed, 4 May 2005 11:03:34 -0400 (EDT)
From: rjhorn@panix.com
Reply-To: rjhorn@alum.mit.edu
To: declan@well.com

On  3 May, Declan McCullagh wrote:
>
> Can anyone recommend a checksum'ing utility for Windows and OS X? It
> would be nicer than a command-line interface.
>

For a Windows PC I would suggest a combination of the publicly available
(if somewhat old) "tripwire", a bootable Knoppix CDROM, and a USB
storage device that you keep at home.  "tripwire" maintains a nice
database of files, directories, sizes, protections, etc. and can be
configured to report intelligently about changes.  For example, you can
tell it that a file is an audit log, so that it does not complain about
extensions (unless you ask it to) but will complain if the previously
seen content has been modified.  You then run tripwire routinely,
storing the updated database on the USB device.

I find it comforting to see it tell me about the new files I've created,
others that I've edited, etc. Since it is running off the Knoppix CDROM
rather than the local PC disk, it detects even the OS modifying stealth
spyware.

The primary restriction is that you must use a FAT file sysem rather
than NTFS (because Knoppix does not fully understand NTFS).  A secondary
restriction is that it works at the file level, so you are constantly
being told that something somewhere is different in the Windows registry
with no further hint as to what it might be that got changed.  This is a
general problem with all database-like files.  "tripwire" just says
"file changed".

There is also a commercial version of "tripwire" with substantially
better features if you want to spend the money.

R Horn




-------- Original Message --------
Subject: Re: [Politech] Customs-proofing your laptop: Staying safe at
border searches [priv]
Date: 09 May 2005 13:09:41 -0400
From: stanislav shalunov <shalunov@internet2.edu>
To: Declan McCullagh <declan@well.com>
References: <427860AB.1070204@well.com>

Anonymous (hinting at special access) writes:

> Loretta's experience w/ US Customs is chilling.  The fifteen minutes
> her notebook computer was out of view and in government custody is
> plenty of time for an agent to image the drive.

Is this right?  My IBM ThinkPad T30 gives 21MB/s sustained raw disk
performance.  With 40-GB drive, it would take over 30 minutes to copy
the disk.  It is possible that other notebooks have similar disk speed
and smaller disks, but 15 minutes is not necessarily enough to image a
drive.

Installation of keystroke capture software or hardware or similar
malware is another matter.  Once the computer is out of your hands for
15 minutes, one should not assume it to be a trusted computing base
anymore.  Reinstallation of the operating system should not be
considered appropriate to restore the status, as the BIOS -- or
perhaps even the hardware -- could have been modified.  The threat of
hardware modification especially appears to not be appreciated enough:
inexpensive gizmos such as KeyGhost have long been easy to hide in a
desktop; one should assume laptops to be similarly vulnerable.  For
data delivery, the hypothetical laptop gizmo could, for example,
establish independent wireless connections.

If anything, evidence of tampering should be sought out.  Some
imperfect security mechanisms that might improve your chances of
detecting tampering would include: (i) keeping the laptop suspended,
rather than switched off (with the screen password-protected,
naturally), would make it far more difficult to surreptitiously image
the entire drive by removing it; (ii) application of tamper-evident
sticky tape might make it more difficult to disassemble the machine
unnoticed; (iii) running Tripwire-like utilities (with both generation
and verification of checksums in single-user mode, if using a
UNIX-like system) with an external store for the checksums might make
it slightly more difficult to install malicious software unnoticed.
It should be stressed again that these are simply auxiliary security
measures that could be used in addition to the primary one: good
physical and electronic security of the laptop.  Without good physical
security (handing your laptop to a stranger for 15 minutes is very bad
physical security) the auxiliary measures might even be a net decrease
in security due to false sense of security.  Tamper-evident devices
can be defeated.

-- 
Stanislav Shalunov		http://www.internet2.edu/~shalunov/

This message is designed to be viewed with 0.06479891g of NaCl.




-------- Original Message --------
Subject: Re: [Politech] Customs-proofing your laptop: Staying safe at
bordersearches [priv]
Date: Wed, 4 May 2005 02:32:30 -0400
From: Danny Yavuzkurt <ayavuzk@fas.harvard.edu>
To: Declan McCullagh <declan@well.com>
References: <427860AB.1070204@well.com>

I always wondered what happened to Magic Lantern. I wonder how advanced it
must be by now... imagine, if even CoolWebSearch can hide itself so well
that almost nobody could detect it, how well could the government hide a
malicious keylogger or backdoor? Very well.

How can you maximize your security against all but the most determined
opponents? Heavy encryption, preferably at the disk driver level, with a
large key encrypted with a mathematically secure algorithm like
RSA/Diffie-Hellman, making sure to keep the key off the drive that may fall
into the "wrong hands," ie, on removable media you keep on your person...
what else... oh, using Van Eck-proof fonts when viewing sensitive
information, hell, why not Faraday-cage your computer to Tempest standards?
Then there's that new method some computer scientist recently worked out
for
telling which keyboard keys are being pressed by their unique sound (yes,
really). The amount of information every human action creates is larger
than
most people imagine.

-Danny





-------- Original Message --------
Subject: Re: [Politech] Customs-proofing your laptop: Staying safe at
border searches [priv]
Date: Wed, 4 May 2005 08:35:27 -0500
From: Rick Bradley <rick@rickbradley.com>
To: Declan McCullagh <declan@well.com>
CC: politech@politechbot.com
References: <427860AB.1070204@well.com>

* Declan McCullagh (declan@well.com) [050504 01:05]:
> A more advanced one would be to perform a checksum of all the files on
> the hard drive before-and-after through something like this:
>
> % for i in `find / -print`; do md5 $i >> /tmp/new; done ; diff /tmp/new
> /tmp/old
>
> The problem is that even your "diff" utility could be modified so you'd
> need to use a known-good copy from archival media.
>
> Can anyone recommend a checksum'ing utility for Windows and OS X? It
> would be nicer than a command-line interface.

I recommend Tripwire (tripwire.org, tripwire.com), though there are also
other similar solutions.

Rick
-- 
 http://www.rickbradley.com    MUPRN: 3
                       |  of B&K (for LCR) and
   random email haiku  |  Neuman KM (for surrounds) to
                       |  Hardy API preamps.






-------- Original Message --------
Subject: Re: [Politech] Customs-proofing your laptop: Staying safe at
border searches [priv]
Date: Wed, 4 May 2005 09:36:26 -0400
From: Adam Fields <politech23908923049@aquick.org>
To: Declan McCullagh <declan@well.com>
References: <427860AB.1070204@well.com>

On Tue, May 03, 2005 at 10:42:03PM -0700, Declan McCullagh wrote:
> Detecting whether the Feds or any government adversary has placed
> spyware on your computer when "examining" it at a border checkpoint is
> not entirely trivial. It is, however, important for your privacy and
> peace of mind -- especially because computer and PDA searches will
> likely become more popular in time.
>
> Here are some basic suggestions:
> http://www.politechbot.com/2005/04/21/update-on-alabama/
>
> A more advanced one would be to perform a checksum of all the files on
> the hard drive before-and-after through something like this:
>
> % for i in `find / -print`; do md5 $i >> /tmp/new; done ; diff /tmp/new
> /tmp/old
>
> The problem is that even your "diff" utility could be modified so you'd
> need to use a known-good copy from archival media.

Bruce Schneier has written about an unreleased tool from Microsoft
called GhostBuster, which sounds like the ideal solution for this.

http://www.schneier.com/blog/archives/2005/02/ghostbuster.html

-- 
				- Adam

** I can fix your database problems:
http://www.everylastounce.com/mysql.html **

Blog............... [ http://www.aquick.org/blog ]
Links.............. [ http://del.icio.us/fields ]
Photos............. [ http://www.aquick.org/photoblog ]
Experience......... [ http://www.adamfields.com/resume.html ]
Product Reviews: .. [ http://www.buyadam.com/blog ]






-------- Original Message --------
Subject: Re: [Politech] Customs-proofing your laptop: Staying safe at
border searches [priv]
Date: Wed, 4 May 2005 17:50:01 +0200 (CEST)
From: Thomas Shaddack <shaddack@ns.arachne.cz>
To: Declan McCullagh <declan@well.com>
CC: politech@politechbot.com
References: <427860AB.1070204@well.com>

On Tue, 3 May 2005, Declan McCullagh wrote:

> Detecting whether the Feds or any government adversary has placed
spyware on
> your computer when "examining" it at a border checkpoint is not entirely
> trivial. It is, however, important for your privacy and peace of mind --
> especially because computer and PDA searches will likely become more
popular
> in time.

A relatively easy way to deny access to a hard drive could be a disk-level
password. ATA specs from version IV contain the feature of setting up user
and master password for the HDD, which then denies access to its content
until it is unlocked. The password has considerable length (40 hex
digits?) and the drive requires hardware reset after every 5 failed
attempts, which makes bruteforcing more time-intensive.

A related article is here: <http://www.heise.de/ct/english/05/08/172/>,
the Slashdot discussion here:
<http://it.slashdot.org/article.pl?sid=05/04/02/1828217&from=rss>.

I am not aware about Linux-based utilities for setting up passwords, but
an ATA password tool (atapwd), for DOS, is present on eg. the Ultimate
Boot CD <http://www.ultimatebootcd.com/>. Using this tool, it should be
easy to lock the disk before travel, then unlocking it again after
arrival.

The ATA password, unlike the BIOS password, is stored within the disk
itself, making it impossible to remove the disk and image it, at least
within reasonable timeframe.

The disadvantage of this approach is that the presence of the password
becomes obvious at the power-on, as the machine won't start.


For disks shipped by mail or courier service, another useful firmware
feature is the SMART power-on counter:
<http://www.ariolic.com/activesmart/smart-attributes/device-power-cycle-count.html>.

Before shipping, make a dump of the registers, write down this value.
After receiving the disk, check this value again; it should be higher
exactly by one. Higher difference than one indicates somebody powered it
on en-route.

Combining the power-on counter with the ATA password should provide a
basic level of security and tampering assurance, protecting at least
against the fishing-expedition level of investigation, the level that
poses a threat for everyone.


> Here are some basic suggestions:
> http://www.politechbot.com/2005/04/21/update-on-alabama/
>
> A more advanced one would be to perform a checksum of all the files on the
> hard drive before-and-after through something like this:
>
> % for i in `find / -print`; do md5 $i >> /tmp/new; done ; diff /tmp/new
> /tmp/old
>
> The problem is that even your "diff" utility could be modified so
you'd need
> to use a known-good copy from archival media.
>
> Can anyone recommend a checksum'ing utility for Windows and OS X? It
would be
> nicer than a command-line interface.

md5sum, either a Linux version from any bootable service CD, or a md5deep,
a recursion-friendly version of the same. md5sum and sha1sum exist
natively in both Linux and Windows versions.

Before the trip, boot the machine from a CD, make checksum of all the
files, upload it to the Net or store at a safe location. After the trip,
before the first power-on, repeat the operation. Diff the "before" and
"after" files, find the files whose checksum changed. Alternatively use
md5deep, which can automatically check files against a list of their
checksums.

For a skilled programmer, slapping a simple GUI or text menu interface on
this should be a quick task.

For md5deep, see <http://md5deep.sourceforge.net/>.


Yet another possibility is to have three separate partitions: one for the
OS, one for a known-good image of the OS (this can also be stored on a
separate medium, being it a DVD-R or a downloadable image somewhere
Internet-accessible), and one for the data, which will make it easy to
quickly reimage the OS disk without data loss. This approach also makes it
easier to deal with various conventional threats, from spywares to worms
to trojans. There is the added headache of maintaining a known-good
always-patched image, though.




-------- Original Message --------

http://www.brandonstaggs.com/filecheckmd5.html

I found this after our previous discussion.  This program makes it
pretty easy to create and compare checksums.  The one limitation - it
puts everything into RAM, so it's limited to doing about 30,000 files at
a time on my 2 GB-RAM laptop.  But it's just fine for doing directories.

Re removal of drives for imaging...  At least on my drive, there's a
screw you have to remove to remove the drive.  You can put nail polish
on the screwhead to make it hard to remove, or if you want warning, you
can just make a mark on the case next to the screw slot, and thus you
can determine if the screw has been turned.

If you post, keep my name off please.

h





Posted by Declan McCullagh on May 10, 2005 in category privacy


Get a Politech feed through RSS or Atom [RSS] [Atom]

The Politech general information pages and photographs are copyrighted by Declan McCullagh. Original posts distributed to the mailing list are licensed under a Creative Commons License.
Creative Commons License