back to article Ex-Microsoft Bug Bounty dev forced to decrypt laptop for Paris airport official

Paris airport security went one step further than simply asking a security expert to power up her laptop - they requested she type in her password to decrypt her hard drive and log into the machine. Katie Moussouris, chief policy officer at HackerOne, and best known as the woman behind Microsoft's Bug Bounty Program, was en …

Page:

  1. Yet Another Anonymous coward Silver badge

    Cunning

    With the French government you are never sure if it is incompetence, malice, both or neither

    1. Anonymous Coward
      Anonymous Coward

      Re: Cunning

      with ANY government my dear... the frenchies don't have - by far - the monopoly on administrative stupidity....

      1. chivo243 Silver badge
        Angel

        Re: Cunning

        @AC

        My missus is French, and the French may not have a monopoly on this type of thing, but are world leaders of it, she will attest to that.

    2. P. Lee Silver badge
      Coat

      Re: Cunning

      I see a marketing niche: laptops in German tank camouflage.

  2. PCS

    And this is news why???

    Must be a *very* slow day at El-Reg Towers.

    1. streaky Silver badge

      "Silly person has laptop that decrypts everything on desktop login" - it's reasonably newsworthy when you consider the field this person works in.

      1. petur

        indeed, even my personal laptop requires an additional decryption of a separate volume to access my data, so I can easily login with decryption and then do simple stuff like browsing, and not have access to my data.

        1. EddieD

          My thoughts entirely...

          It's long been known that if you take a computer through international security, you may be asked to power it up and show it to the officials.

          In the days of almost ubiquitous high speed internet, there are few reasons to leave any sensitive data on your machine - load it to your /private/ cloud (which someone in her job would have), wipe any trace off the machine - the o/s isn't going to be secret, and any necessary tools can be added to the cloud blob, smile sweetly at the security jobsworth - and we'd better face it, they are becoming, or maybe have become, the default - do what they ask, provide a forensic image if necessary, travel onwards to your destination, grab a latté with your colleagues as you download the aforementioned binary blob at your leisure.

          This is going to happen more and more - get used to it, and plan for it. It's not (quite, nearly, almost) the end of the world...

          You don't need to be paranoid to be aware that folk are out to be officious...

          1. Mark 65 Silver badge

            Re: My thoughts entirely...

            But how to retrieve the data from that private store? Username and password over https? NSA may like that. Use password protected ssh key? The most likely method but then that means your private key needs to be on that laptop albeit password protected. How secure is that these days? I'm not sure.

          2. MrXavia

            Re: My thoughts entirely...

            "In the days of almost ubiquitous high speed internet"

            I would like to know what world you are living in which has this almost ubiquitous high speed internet?

            Sure in the UK I can rely on my 3G, and I have a decent provider so I don't pay a fortune for ever GB... but traveling? have you ever seen roaming charges??

            Yes if your doing something that needs minimal data, its fine, but the cloud is only as good as your internet, and internet can be very very spotty...

            1. BongoJoe Silver badge

              Re: My thoughts entirely...

              I can't help but agree. Here there is no high-speed broadband so attempting to copy about 20GB up to a cloud or anywhere would take more than a whole day.

            2. Hans Neeson-Bumpsadese Silver badge

              Absence of high-speed internetq

              For example if you were travelling by air...

          3. Michael Habel Silver badge

            Re: My thoughts entirely...

            I wouldn't trust the "Cloud", further then I could spit a lightly fried Weasel in a Bun!

            1. Wensleydale Cheese Silver badge
              FAIL

              Re: My thoughts entirely...

              The OP said "Private Cloud" in case you missed it.

            2. Matt Bryant Silver badge
              Thumb Up

              Re: MIchael Habel Re: My thoughts entirely...

              QOTW!

          4. Anonymous Coward
            Anonymous Coward

            Re: My thoughts entirely...

            In the days of almost ubiquitous high speed internet, there are few reasons to leave any sensitive data on your machine - load it to your /private/ cloud (which someone in her job would have), wipe any trace off the machine - the o/s isn't going to be secret, and any necessary tools can be added to the cloud blob, smile sweetly at the security jobsworth - and we'd better face it, they are becoming, or maybe have become, the default - do what they ask, provide a forensic image if necessary, travel onwards to your destination, grab a latté with your colleagues as you download the aforementioned binary blob at your leisure.

            Data on your physical device: incidental exposure to nosy officials which you can manage with a crypto section

            Data in a private cloud: you are one coding mistake away from every jerk on the planet having a go at your data.

            I know what I would choose.

    2. Anonymous Coward
      Anonymous Coward

      This is news and fuck you

    3. Anonymous Coward
      Anonymous Coward

      I guess it must be a bit of a shock discovering the world is how it is and officialdom can do whatever it damn well pleases.

    4. dan1980

      @PCS

      It is news. Specifically, it is news of a tech/IT bent and one with a particular focus on security and privacy - an area which is generally rather important to people here.

      And here's the thing - not all of us fly internationally for business and so may not realise the extent of this paranoia and what may happen to them.

      The passenger in question clearly flies about a bit and was aware that turning on a laptop to prove it's real and operational is a relatively standard procedure. Asking her to actually log in, however, was a first for her and not something she had seen before. It stands to reason that it will therefore be something many others would alos have been unaware of.

      Now, presumably this is not actually common practice but what it shows is that it can happen. The benefit of knowing that this potential exists is that people can take appropriate steps.

      Ms. Moussouris had her laptop encrypted and this was enough for her purposes. Now that she is aware of this potential, on presumes she will change her setup so she has either a hidden drive or have data encrypted separately. Others can do the same now that they know this is a possibility.

      But of course EVERYONE encrypts everything like this already so this information is useless and anyone who doesn't is clearly an idiot so not worth helping. Right?

      1. T. F. M. Reader Silver badge

        @dan1980

        Asking her to actually log in, however, was a first for her and not something she had seen before.

        She used to work for Microsoft though, didn't she? I am curious because I used to work for another huge multinational computer company (say, 10 years ago) and I used to travel internationally with a company laptop with sensitive data on it, including code, presentations, plans, etc. The disk was fully encrypted, it wouldn't even boot without a password.

        The official company guidelines were, if you are stopped at any border, airport, etc., and are asked to boot your laptop and supply your passport - comply without arguing. If they want to take your laptop - surrender it without delay. No corporate data on your laptop is precious enough to make the hassle of getting you out of trouble worthwhile.

        I would naively assume Microsoft would have similar guidelines. Maybe she didn't get the memo?

        1. dan1980

          Re: @dan1980

          @T.F.M Reader

          "I would naively assume Microsoft would have similar guidelines."

          Quite possibly and maybe she was following them when she complied with the request to login. But that is not the point of any of this, which is simply that this represents a relatively new development - at least to the person in question and, given she presumably travels with a laptop a fair bit, one can expect that many less-frequent travellers were similarly unaware.

          Now, thanks to her blog (and various outlets like this commenting on it), more people know what they can expect or at least prepare for.

    5. Mark 65 Silver badge

      I couldn't quite fathom her surprise...

      Moussouris attributes the whole "unsettling" experience to an "Inspector Clouseau" type official exceeding her authority in checking that a computer was operational rather than anything more sinister.

      Unsettling? Surely she has encountered the TSA and their drive copying practices?

  3. Rainer

    They've probably captured her password now

    A pinhole camera somewhere or just by grabbing the electromagnetic impulses from the keyboard.

    Should have used a tin-foil blanket like Snowden in "Citizenfour".

    Thought that he was a bit over the top with the blanket, but apparently not...

    1. Paul Crawford Silver badge
      Black Helicopters

      Re: They've probably captured her password now

      That was my thought, that they wanted to record her password for whatever reason. I'm guessing that as she is a security expert she has now changed it, and it was never the same as anything else of importance.

      What is a bigger worry is they have copied the encrypted HDD at another time (while sleeping, etc) and they wanted that to get access to it.

      As another commentard has pointed out, best to have a 2nd account to demo a machine works so you don't have to decrypt your own files (assuming per-account encryption and not just full-disk).

      Hmm, might need a tighter tinfoil hat now...

      1. DougS Silver badge

        Re: They've probably captured her password now

        Nah, use FDE so they can see that password but as you say use a dummy account. Your real partition has another layer of encryption so even if they do copy your encrypted disk while you're sleeping and use pinhole cameras to steal your password, you'll be long gone before they decrypt their stolen copy of your drive and login to your dummy account and find it is bog standard unmodified and unpatched (why bother?) Windows 7, but there's a lot of space left on the hard drive that wasn't accounted for...

      2. DropBear Silver badge
        Devil

        Re: They've probably captured her password now

        That was my thought, that they wanted to record her password for whatever reason

        That's an easy one, it just requires some foresight: you change your password not once but twice: once right before you go to the airport and once after (if they made you log in) - that way, whatever they may have copied will not be accessible with the "temporary" password they may glean at boarding...

    2. This post has been deleted by its author

  4. Snorlax Silver badge
    Black Helicopters

    Highly Unlikely...

    ...that Clouseau knew the laptop was encrypted.

    I wonder were her keystrokes recorded by an overhead camera? Always look up before entering passwords at customs or airport security...

    1. IglooDude

      Re: Highly Unlikely...

      Sure, but wouldn't her next step before connecting to the internet unprotected (and in a place where her keystrokes assuredly would NOT be recorded) be to change her now-potentially-exposed login password?

      It would be for me, and I'm probably not half as security-conscious as her.

  5. Simon Harris Silver badge

    Playmobil.

    I can't believe El Reg has reused a 3 year old picture instead of using the story as an excuse to get the Playmobil out of the toybox again for a new one!

    1. Scott Broukell

      Re: Playmobil.

      I'm a little confused now having read your comment. After all I was just about to complement El Reg on the high definition, up to the minute, imagery they manage to secure in order to document such revelations, truly life-like it is.

  6. RyokuMas Silver badge
    Joke

    Maybe...

    They were so astounded that someone affiliated with Microsoft had a reasonably secure system in their possession, and had to see it in action to believe it?

  7. Lee D Silver badge

    My former employer, an independent school, blocked all employees taking workplace devices with them when they travelled to France.

    You can be made to decrypt data, under their laws, and the question of how that's compatible with EU data protection or whether you can get in trouble in the UK for such data access (if they then took the laptop off you, you could be construed as having "provided access" to it) is one of those "interesting for solicitors" questions.

    Instead, it was easier to just say that employees mustn't do it. Instead, a small smartphone with no data on it was given out for the taking of photos etc. on the school trips, but it still leaves the question of what impact that would have on child protection, data protection etc. if you were forced to hand it over.

    1. Anonymous Coward
      Anonymous Coward

      I take it you know you can be forced to decrypt any device in the UK?

      DPA and all EU laws have exemptions for law enforcement and security.

      1. Flocke Kroes Silver badge

        But the UK law makes much more sense

        The excuse/justification for the law is to catch paedophiles and terrorists. You do not have to provide your password - just can spend 5 years in prison instead. Of course, 5 years is less than a likely sentence for paedophiles or terrorists.

        If you need to take Snowden2 data abroad, do not carry it with you. Encrypt it, put it on the net, travel, download, recrypt with a new key and shred all your copies of the old key.

        1. Anonymous Coward
          Anonymous Coward

          Re: But the UK law makes much more sense

          And if you're going somewhere where the 'Net is spotty (say not enough coverage or data allowance to retrieve what you need) or worse under surveillance (meaning any attempt to retrieve the data will result in you being singled out)?

      2. Lee D Silver badge

        "I take it you know you can be forced to decrypt any device in the UK?

        DPA and all EU laws have exemptions for law enforcement and security."

        If the UK legal authorities ask me to decrypt a device with UK data, and I do so, I'm immune under the UK DPA.

        If the French authorities demand it, I may not be, especially if their laws differ.

        Additionally, although it's supposed to be EU-wide, it's not a level playing field. This is the problem. Not that a policeman might want to see my data, but that if I TAKE my data and they need to see it, I can potentially still get into trouble even though I'm complying with local laws all the time.

        Comply with French law sometimes = break UK law.

    2. chivo243 Silver badge
      Thumb Up

      Worth a mention to management

      I work in a similar situation, lots of the colleagues I support travel to and via France. I've never heard anything like that from any colleagues. .

      Thanks for the tip!

    3. Anonymous Coward
      Anonymous Coward

      Just use a hidden encrypted partition containing an encrypted virtual machine, your average flatfoot isn't going to find that.

      1. FutureShock999

        They will if they image the drive, see things they can't understand, and pass it to forensics to figure out...

        So while I agree that you are likely to be right in MANY cases, there are a troubling few that will get caught using that idea.

        1. DropBear Silver badge

          They will if they image the drive, see things they can't understand, and pass it to forensics to figure out...

          The whole point of a Truecrypt-style hidden volume is that in its encrypted state it should be pretty much indistinguishable from unused space filled with random noise. There is nothing to "find". Not even Truecrypt itself can tell you whether there actually is something there or not until you give it the proper key. The only giveaway would be the user getting visibly reluctant to carry out a full wipe of the allegedly "empty" space - but that would only happen if there was no backup of the data somewhere else which would be stupid anyway.

      2. tom dial Silver badge

        If the police are interested in your computer, it is safest to assume that it will not be an "average flatfoot", but a skilled technician who looks at it. That assumption would, if you are under suspicion, very likely be correct.

    4. T. F. M. Reader Silver badge

      @Lee D

      My former employer, an independent school, blocked all employees taking workplace devices with them when they travelled to France.

      I don't think it is limited to France in any aspect. More like, the French do it, too. And probably your average French doesn't realize it (since it is unlikely they do it to many of their own citizens when they come home from a foreign trip).

      Ironically, I once met a French guy who had been asked to boot his laptop when he had arrived at a foreign airport. He played French, saying it was his laptop, they had no right, Liberte, Egalite, etc. Full body search followed. Even then his reaction was, "I will never go to THAT COUNTRY again!" I tried to convince him the situation was not geography-specific, not sure I succeeded.

  8. wolfetone Silver badge

    She obviously looked dodgy.

  9. bluesxman

    Meh

    If my work laptop is anything to go by, the whole disk encryption software login interface would look entirely unfamiliar (and possibly even a bit suspicious, in a Fisher Price sort of way) to large swathes of the public. I'm assuming the Security Officer was simply looking for something Windows-ish that she could identify with to assure her this wasn't some sort of mock up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Meh

      Yep. I guess 'Woman Made To Prove Laptop Worked At Airport' wouldn't be as interesting a headline.

      1. Yet Another Anonymous coward Silver badge

        Re: Meh

        Had that once in his majesty's former colonies.

        Turn on the laptop - it boots to a Linux prompt

        No turn it - I have to login and "startx"

        The world is saved for democracy because a mouse pointer moves

      2. Adam 1 Silver badge

        Re: Meh

        >Yep. I guess 'Woman Made To Prove Laptop Worked At Airport' wouldn't be as interesting a headline

        Why does it matter if it works? What if it broke whist travelling? Let's say or wonderfully reliable SSD just gave up without warning and now you just see some text about missing boot devices? Are you supposed to their away your otherwise fine laptop? Are you supposed to fart around trying to sort out warranty claims whilst abroad?

        Officialdom gone mad is the kindest way to put it. Time for hidden volumes when travelling to France I suppose...

    2. Tom 13

      Re: Meh

      My roommate has an interesting observation about this little exercise:

      "You do realize that if I WERE actually a suicide bomber and the laptop was a bomb, you would have just ordered me to detonate it here, right?"

      Since he made this observation none of the guards have since asked anyone to turn on largish electronic devices at the gate. But then he works somewhere that such things are a serious security concern as opposed to the Kabuki theater they are at airports.

      1. Diogenes

        Re: Meh

        That comment could have him arrested in some jurisdictions - must offend the great security deity.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019