Ex-Microsoft Bug Bounty dev forced to decrypt laptop for Paris airport official Paris airport security went one step further than simply asking a security expert to power up her laptop - they requested she type in her password to decrypt her hard drive and log into the machine. Katie Moussouris, chief policy officer at HackerOne, and best known as the woman behind Microsoft's Bug Bounty Program, was en …
Check your facts. The US Border and Customs agents are fully able to copy your data for further, more detailed analysis. They do it often...
Read about what they do via the EFF: https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices
Aren't there sophisticated enough "scanning" devices to see what electrical currents (even minute amounts) are active, so, therefore, booting a device all the way *electrically engages the hard drive, the video card, the motherboard, the nic/wifi interface, the screen... sufficiently exposing the % of the innards of a machine and all of the physical masses and pathways as electricity flows through it?
<tinfoil>
Not that that doesn't leave room for explosive stuff I suppose, but.
I have had an encrypted laptop searched when re-entering Canada by customs agents... except they absolutely searched the data on the machine. In answer to my courteous and respectful questions as to the purpose of the search request, I was informed that it was for illegal content such as child pornography.
I chose to allow the search and unlocked my device... I did so as it was an agent of my own Government, and I felt comfortable that the corporate data was not at risk.
I questioned my company's lawyer who basically said that I has 2 choices - allow them to search it, or they could seize the laptop and potentially (unlikely) refuse me re-entry in to Canada. When re-entering a country, you are not YET under normal laws and protection against search and seizure.
But, a regular "security" agent or law enforcement, for that matter, in Canada would not be able to seize and search a computer without cause.... and domestic travel is not, to my knowledge, cause to do so.
I will provide advice that I received: if you don't want a foreign official to be able to see it, leave it home. Period.
My $0.02
Bear in mind that your device does not have to leave your possession; there are ways to clone drives from a distance. Why did the official ask you to type in your password? Well, there are more than just a few means of intercepting keyboard impulses, so the probability is high that "they" now have the password. Changing it after the fact- if they have indeed cloned a drive - is useless for all the data that is already stored on the drive.
Disgusting behaviour by the airport security apparatchik. An enquiry should happen, whether it reports or not - this should be high news.
But yes - don't let some little turd in a uniform compromise your data. Encrypt it on a hidden volume behind a guest account. OR, store your data client-side encrypted online somewhere, and grab it after you've got where you're going - this is what govfuckwiterments have reduced us to.
Fortunately while they are busy slamming each others' dicks in the door and snorting cocaine, they physically can't legislate the laws of mathematics.
My mother was supervisor for the contracted pre-departure security for a major US airline. She and her team had regular briefings on the current threats, interestingly enough, many that I had as well for military counterterrorism operations.
She had related how a recent threat had arose where laptops could appear to be normal laptops, even appear to partially boot up, but if the login was entered a bomb detonated.
So, the security measure that was so wisely adopted was to force the user to login at the checkpoint. You know, where the passengers and security personnel would still be safe in the case of a detonation.
Hey, *she* didn't make that call, the FAA did. :/
But, that is a true story from the late 1990's.
As a frequent user of the Paris' airports, let it be clear: this special treatment is reserved for people flying to the US. There is a special, additional security check before boarding that will have some more requests, open your luggage, point at random things and ask what's inside (and if you don't remember immediately, they'll ask you to open it). It's been in place for more than a decade, following the 2001 attacks.
Flight to other countries, European or otherwise, do not get that.
If your destination is European, you can often board a plane without showing your ID card even *once*.
So please, no French-bashing here, they're doing the security circus that Americans are telling them to do. Good that it hit a semi-celebrity at last so that annoyance finally reach the news...
Possibly incompetence on the part of officialdom - but maybe not.
I imaging that it would not be too difficult these days to make a laptop that appeared to power up and operate yet without a hard-drive ... and hard drives are dense metally things that x-rays don't go through too well - rather like other dense things that can go pop.
Hard drives may be dense and metallic...but the housings usually aren't wholly metallic, plus due to design necessities, you can expect the interior to feature certain features in their x-ray silhouettes, like the platters. You can search and find x-ray images of hard drives. Trying to make explosives look like a bunch of authentic hard drives platters that can match that x-ray silhouette would be too elaborate and prone to breaking (some explosives can be solid, but not that solid).
suppose ... just suppose ... that the laptop in question, whilst under the physical control of the passenger, isn't actually theirs ? Meaning they WOULDN'T KNOW the login details.
It could be a team/support laptop that was bought along "just in case" but not all the team know (or need to know) the login.
".....Meaning they WOULDN'T KNOW the login details....." In such a case the result is you are not allowed to take the device onto the aircraft unless you can power it on and show it is a working device. You will be given the choice of proceeding without the item or not boarding. If you are lucky you might be allowed to open the device to show the interior components, but it is far more likely you will be forced to wait for a detailed examination by a police/TSA techie or the bomb squad (http://www.cnn.com/2014/07/06/us/tsa-security-measures/index.html). And not being able to power on the device will lead to additional screening measures (possibly including graphite grease and rubber gloves!).
1. US has this brain-dead regulation that says that on outbound flights to the US, electronic devices must be checked (turned on) by security personnel.
2. She might have had Linux installed, which the airport security staffer has probably never seen (they do not go to libraries much). Or the Windows/OS X logo was not displayed before decryption.
Why is this news ? The French are actively trying to comply with US legislation, maybe a tad zealous, but hey ... as for the privacy moaners ... what personal data does a a login screen expose, exactly ? A custom background image, maybe ?
This happened to me when leaving Canada in 2003.
I had to power up the laptop and log onto it. To be honest I was a bit miffed at having to go through security at all as it was an RAF flight to the UK with a lot of squaddies on board. We all had our SA80's in our possession and they didn't go through the xray machine or check for loaded rounds. They did however confiscate numerous plastic sporks, multi tools random items including a rabbit skin and a pair of pliers.
Jobsworths.....
I should add that we got all the stuff back when we landed, they even wrapped the sporks up and had a printed label with our names on ha ha.
The real problem here is Katie Moussouris is (a) such a geek she didn't know about the additional security measures on European-to-US flights, and (b) such a self-centered narcissist that she assumed the check was down to her being such a VIP (in her own mind anyway). Throw in the usual paranoia about "The Man" and you arrive at the current fuss.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
