back to article Ex-Microsoft Bug Bounty dev forced to decrypt laptop for Paris airport official

Paris airport security went one step further than simply asking a security expert to power up her laptop - they requested she type in her password to decrypt her hard drive and log into the machine. Katie Moussouris, chief policy officer at HackerOne, and best known as the woman behind Microsoft's Bug Bounty Program, was en …

  1. Yet Another Anonymous coward Silver badge

    Cunning

    With the French government you are never sure if it is incompetence, malice, both or neither

    1. Anonymous Coward
      Anonymous Coward

      Re: Cunning

      with ANY government my dear... the frenchies don't have - by far - the monopoly on administrative stupidity....

      1. chivo243 Silver badge
        Angel

        Re: Cunning

        @AC

        My missus is French, and the French may not have a monopoly on this type of thing, but are world leaders of it, she will attest to that.

    2. P. Lee Silver badge
      Coat

      Re: Cunning

      I see a marketing niche: laptops in German tank camouflage.

  2. PCS

    And this is news why???

    Must be a *very* slow day at El-Reg Towers.

    1. streaky Silver badge

      "Silly person has laptop that decrypts everything on desktop login" - it's reasonably newsworthy when you consider the field this person works in.

      1. petur

        indeed, even my personal laptop requires an additional decryption of a separate volume to access my data, so I can easily login with decryption and then do simple stuff like browsing, and not have access to my data.

        1. EddieD

          My thoughts entirely...

          It's long been known that if you take a computer through international security, you may be asked to power it up and show it to the officials.

          In the days of almost ubiquitous high speed internet, there are few reasons to leave any sensitive data on your machine - load it to your /private/ cloud (which someone in her job would have), wipe any trace off the machine - the o/s isn't going to be secret, and any necessary tools can be added to the cloud blob, smile sweetly at the security jobsworth - and we'd better face it, they are becoming, or maybe have become, the default - do what they ask, provide a forensic image if necessary, travel onwards to your destination, grab a latté with your colleagues as you download the aforementioned binary blob at your leisure.

          This is going to happen more and more - get used to it, and plan for it. It's not (quite, nearly, almost) the end of the world...

          You don't need to be paranoid to be aware that folk are out to be officious...

          1. Mark 65 Silver badge

            Re: My thoughts entirely...

            But how to retrieve the data from that private store? Username and password over https? NSA may like that. Use password protected ssh key? The most likely method but then that means your private key needs to be on that laptop albeit password protected. How secure is that these days? I'm not sure.

          2. MrXavia

            Re: My thoughts entirely...

            "In the days of almost ubiquitous high speed internet"

            I would like to know what world you are living in which has this almost ubiquitous high speed internet?

            Sure in the UK I can rely on my 3G, and I have a decent provider so I don't pay a fortune for ever GB... but traveling? have you ever seen roaming charges??

            Yes if your doing something that needs minimal data, its fine, but the cloud is only as good as your internet, and internet can be very very spotty...

            1. BongoJoe

              Re: My thoughts entirely...

              I can't help but agree. Here there is no high-speed broadband so attempting to copy about 20GB up to a cloud or anywhere would take more than a whole day.

            2. Hans Neeson-Bumpsadese Silver badge

              Absence of high-speed internetq

              For example if you were travelling by air...

          3. Michael Habel Silver badge

            Re: My thoughts entirely...

            I wouldn't trust the "Cloud", further then I could spit a lightly fried Weasel in a Bun!

            1. Wensleydale Cheese Silver badge
              FAIL

              Re: My thoughts entirely...

              The OP said "Private Cloud" in case you missed it.

            2. Matt Bryant Silver badge
              Thumb Up

              Re: MIchael Habel Re: My thoughts entirely...

              QOTW!

          4. Anonymous Coward
            Anonymous Coward

            Re: My thoughts entirely...

            In the days of almost ubiquitous high speed internet, there are few reasons to leave any sensitive data on your machine - load it to your /private/ cloud (which someone in her job would have), wipe any trace off the machine - the o/s isn't going to be secret, and any necessary tools can be added to the cloud blob, smile sweetly at the security jobsworth - and we'd better face it, they are becoming, or maybe have become, the default - do what they ask, provide a forensic image if necessary, travel onwards to your destination, grab a latté with your colleagues as you download the aforementioned binary blob at your leisure.

            Data on your physical device: incidental exposure to nosy officials which you can manage with a crypto section

            Data in a private cloud: you are one coding mistake away from every jerk on the planet having a go at your data.

            I know what I would choose.

    2. Anonymous Coward
      Anonymous Coward

      This is news and fuck you

    3. Anonymous Coward
      Anonymous Coward

      I guess it must be a bit of a shock discovering the world is how it is and officialdom can do whatever it damn well pleases.

    4. dan1980

      @PCS

      It is news. Specifically, it is news of a tech/IT bent and one with a particular focus on security and privacy - an area which is generally rather important to people here.

      And here's the thing - not all of us fly internationally for business and so may not realise the extent of this paranoia and what may happen to them.

      The passenger in question clearly flies about a bit and was aware that turning on a laptop to prove it's real and operational is a relatively standard procedure. Asking her to actually log in, however, was a first for her and not something she had seen before. It stands to reason that it will therefore be something many others would alos have been unaware of.

      Now, presumably this is not actually common practice but what it shows is that it can happen. The benefit of knowing that this potential exists is that people can take appropriate steps.

      Ms. Moussouris had her laptop encrypted and this was enough for her purposes. Now that she is aware of this potential, on presumes she will change her setup so she has either a hidden drive or have data encrypted separately. Others can do the same now that they know this is a possibility.

      But of course EVERYONE encrypts everything like this already so this information is useless and anyone who doesn't is clearly an idiot so not worth helping. Right?

      1. T. F. M. Reader Silver badge

        @dan1980

        Asking her to actually log in, however, was a first for her and not something she had seen before.

        She used to work for Microsoft though, didn't she? I am curious because I used to work for another huge multinational computer company (say, 10 years ago) and I used to travel internationally with a company laptop with sensitive data on it, including code, presentations, plans, etc. The disk was fully encrypted, it wouldn't even boot without a password.

        The official company guidelines were, if you are stopped at any border, airport, etc., and are asked to boot your laptop and supply your passport - comply without arguing. If they want to take your laptop - surrender it without delay. No corporate data on your laptop is precious enough to make the hassle of getting you out of trouble worthwhile.

        I would naively assume Microsoft would have similar guidelines. Maybe she didn't get the memo?

        1. dan1980

          Re: @dan1980

          @T.F.M Reader

          "I would naively assume Microsoft would have similar guidelines."

          Quite possibly and maybe she was following them when she complied with the request to login. But that is not the point of any of this, which is simply that this represents a relatively new development - at least to the person in question and, given she presumably travels with a laptop a fair bit, one can expect that many less-frequent travellers were similarly unaware.

          Now, thanks to her blog (and various outlets like this commenting on it), more people know what they can expect or at least prepare for.

    5. Mark 65 Silver badge

      I couldn't quite fathom her surprise...

      Moussouris attributes the whole "unsettling" experience to an "Inspector Clouseau" type official exceeding her authority in checking that a computer was operational rather than anything more sinister.

      Unsettling? Surely she has encountered the TSA and their drive copying practices?

  3. Rainer

    They've probably captured her password now

    A pinhole camera somewhere or just by grabbing the electromagnetic impulses from the keyboard.

    Should have used a tin-foil blanket like Snowden in "Citizenfour".

    Thought that he was a bit over the top with the blanket, but apparently not...

    1. Paul Crawford Silver badge
      Black Helicopters

      Re: They've probably captured her password now

      That was my thought, that they wanted to record her password for whatever reason. I'm guessing that as she is a security expert she has now changed it, and it was never the same as anything else of importance.

      What is a bigger worry is they have copied the encrypted HDD at another time (while sleeping, etc) and they wanted that to get access to it.

      As another commentard has pointed out, best to have a 2nd account to demo a machine works so you don't have to decrypt your own files (assuming per-account encryption and not just full-disk).

      Hmm, might need a tighter tinfoil hat now...

      1. DougS Silver badge

        Re: They've probably captured her password now

        Nah, use FDE so they can see that password but as you say use a dummy account. Your real partition has another layer of encryption so even if they do copy your encrypted disk while you're sleeping and use pinhole cameras to steal your password, you'll be long gone before they decrypt their stolen copy of your drive and login to your dummy account and find it is bog standard unmodified and unpatched (why bother?) Windows 7, but there's a lot of space left on the hard drive that wasn't accounted for...

      2. DropBear Silver badge
        Devil

        Re: They've probably captured her password now

        That was my thought, that they wanted to record her password for whatever reason

        That's an easy one, it just requires some foresight: you change your password not once but twice: once right before you go to the airport and once after (if they made you log in) - that way, whatever they may have copied will not be accessible with the "temporary" password they may glean at boarding...

    2. This post has been deleted by its author

  4. Snorlax Silver badge
    Black Helicopters

    Highly Unlikely...

    ...that Clouseau knew the laptop was encrypted.

    I wonder were her keystrokes recorded by an overhead camera? Always look up before entering passwords at customs or airport security...

    1. IglooDude

      Re: Highly Unlikely...

      Sure, but wouldn't her next step before connecting to the internet unprotected (and in a place where her keystrokes assuredly would NOT be recorded) be to change her now-potentially-exposed login password?

      It would be for me, and I'm probably not half as security-conscious as her.

  5. Simon Harris Silver badge

    Playmobil.

    I can't believe El Reg has reused a 3 year old picture instead of using the story as an excuse to get the Playmobil out of the toybox again for a new one!

    1. Scott Broukell

      Re: Playmobil.

      I'm a little confused now having read your comment. After all I was just about to complement El Reg on the high definition, up to the minute, imagery they manage to secure in order to document such revelations, truly life-like it is.

  6. RyokuMas Silver badge
    Joke

    Maybe...

    They were so astounded that someone affiliated with Microsoft had a reasonably secure system in their possession, and had to see it in action to believe it?

  7. Lee D Silver badge

    My former employer, an independent school, blocked all employees taking workplace devices with them when they travelled to France.

    You can be made to decrypt data, under their laws, and the question of how that's compatible with EU data protection or whether you can get in trouble in the UK for such data access (if they then took the laptop off you, you could be construed as having "provided access" to it) is one of those "interesting for solicitors" questions.

    Instead, it was easier to just say that employees mustn't do it. Instead, a small smartphone with no data on it was given out for the taking of photos etc. on the school trips, but it still leaves the question of what impact that would have on child protection, data protection etc. if you were forced to hand it over.

    1. Anonymous Coward
      Anonymous Coward

      I take it you know you can be forced to decrypt any device in the UK?

      DPA and all EU laws have exemptions for law enforcement and security.

      1. Flocke Kroes Silver badge

        But the UK law makes much more sense

        The excuse/justification for the law is to catch paedophiles and terrorists. You do not have to provide your password - just can spend 5 years in prison instead. Of course, 5 years is less than a likely sentence for paedophiles or terrorists.

        If you need to take Snowden2 data abroad, do not carry it with you. Encrypt it, put it on the net, travel, download, recrypt with a new key and shred all your copies of the old key.

        1. Anonymous Coward
          Anonymous Coward

          Re: But the UK law makes much more sense

          And if you're going somewhere where the 'Net is spotty (say not enough coverage or data allowance to retrieve what you need) or worse under surveillance (meaning any attempt to retrieve the data will result in you being singled out)?

      2. Lee D Silver badge

        "I take it you know you can be forced to decrypt any device in the UK?

        DPA and all EU laws have exemptions for law enforcement and security."

        If the UK legal authorities ask me to decrypt a device with UK data, and I do so, I'm immune under the UK DPA.

        If the French authorities demand it, I may not be, especially if their laws differ.

        Additionally, although it's supposed to be EU-wide, it's not a level playing field. This is the problem. Not that a policeman might want to see my data, but that if I TAKE my data and they need to see it, I can potentially still get into trouble even though I'm complying with local laws all the time.

        Comply with French law sometimes = break UK law.

    2. chivo243 Silver badge
      Thumb Up

      Worth a mention to management

      I work in a similar situation, lots of the colleagues I support travel to and via France. I've never heard anything like that from any colleagues. .

      Thanks for the tip!

    3. Anonymous Coward
      Anonymous Coward

      Just use a hidden encrypted partition containing an encrypted virtual machine, your average flatfoot isn't going to find that.

      1. FutureShock999

        They will if they image the drive, see things they can't understand, and pass it to forensics to figure out...

        So while I agree that you are likely to be right in MANY cases, there are a troubling few that will get caught using that idea.

        1. DropBear Silver badge

          They will if they image the drive, see things they can't understand, and pass it to forensics to figure out...

          The whole point of a Truecrypt-style hidden volume is that in its encrypted state it should be pretty much indistinguishable from unused space filled with random noise. There is nothing to "find". Not even Truecrypt itself can tell you whether there actually is something there or not until you give it the proper key. The only giveaway would be the user getting visibly reluctant to carry out a full wipe of the allegedly "empty" space - but that would only happen if there was no backup of the data somewhere else which would be stupid anyway.

      2. tom dial Silver badge

        If the police are interested in your computer, it is safest to assume that it will not be an "average flatfoot", but a skilled technician who looks at it. That assumption would, if you are under suspicion, very likely be correct.

    4. T. F. M. Reader Silver badge

      @Lee D

      My former employer, an independent school, blocked all employees taking workplace devices with them when they travelled to France.

      I don't think it is limited to France in any aspect. More like, the French do it, too. And probably your average French doesn't realize it (since it is unlikely they do it to many of their own citizens when they come home from a foreign trip).

      Ironically, I once met a French guy who had been asked to boot his laptop when he had arrived at a foreign airport. He played French, saying it was his laptop, they had no right, Liberte, Egalite, etc. Full body search followed. Even then his reaction was, "I will never go to THAT COUNTRY again!" I tried to convince him the situation was not geography-specific, not sure I succeeded.

  8. wolfetone Silver badge

    She obviously looked dodgy.

  9. bluesxman

    Meh

    If my work laptop is anything to go by, the whole disk encryption software login interface would look entirely unfamiliar (and possibly even a bit suspicious, in a Fisher Price sort of way) to large swathes of the public. I'm assuming the Security Officer was simply looking for something Windows-ish that she could identify with to assure her this wasn't some sort of mock up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Meh

      Yep. I guess 'Woman Made To Prove Laptop Worked At Airport' wouldn't be as interesting a headline.

      1. Yet Another Anonymous coward Silver badge

        Re: Meh

        Had that once in his majesty's former colonies.

        Turn on the laptop - it boots to a Linux prompt

        No turn it - I have to login and "startx"

        The world is saved for democracy because a mouse pointer moves

      2. Adam 1 Silver badge

        Re: Meh

        >Yep. I guess 'Woman Made To Prove Laptop Worked At Airport' wouldn't be as interesting a headline

        Why does it matter if it works? What if it broke whist travelling? Let's say or wonderfully reliable SSD just gave up without warning and now you just see some text about missing boot devices? Are you supposed to their away your otherwise fine laptop? Are you supposed to fart around trying to sort out warranty claims whilst abroad?

        Officialdom gone mad is the kindest way to put it. Time for hidden volumes when travelling to France I suppose...

    2. Tom 13

      Re: Meh

      My roommate has an interesting observation about this little exercise:

      "You do realize that if I WERE actually a suicide bomber and the laptop was a bomb, you would have just ordered me to detonate it here, right?"

      Since he made this observation none of the guards have since asked anyone to turn on largish electronic devices at the gate. But then he works somewhere that such things are a serious security concern as opposed to the Kabuki theater they are at airports.

      1. Diogenes

        Re: Meh

        That comment could have him arrested in some jurisdictions - must offend the great security deity.

        1. Someone Else Silver badge
          Headmaster

          @ Diogenes -- Re: Meh

          That comment could have him arrested in some jurisdictions - must offend the great security deitystage manager.

          There, FTFY. To assign deity status on anything that passes for "security" these days is an insult to deities everywhere.

      2. Vector

        Re: Meh

        Here's another observation about the pointlessness of this process.

        Everything that "security specialist" saw in "verifying" the laptop could have been performed by a board the size of a credit card or smaller, leaving a large amount of space on the laptop's body for whatever nefarious purpose a person would like. In fact, it could be a fully functional computing device, kinda like those...whadda ya call 'em...oh yeah! smartphones

        1. Anonymous Coward
          Anonymous Coward

          Re: Meh

          But wouldn't the laptop have to have passed the X-ray first? Which means you not only have to conceal an actual system, but do it non-obviously while also concealing your payload in a way that it's mistaken for actual internal parts of the laptop in an X-ray machine.

  10. Phil O'Sophical Silver badge

    Another reason not to change planes at CDG (if you needed yet another one).

    1. chivo243 Silver badge
      Happy

      Oh, too true! I haven't been there in 10 years, and glad of it! CDG is on my Richard Nixon list...

      1. elDog Silver badge

        How about Ronnie Reagon's airport

        I've long lobbied for what was National to be relabeled Reagan/BluePlains (named after the proximate sewage treatment plant - http://www.dcwater.com/wastewater/blueplains.cfm).

        And of course, Dulles International - the quickest way for privileged oligarchs to slip through customs while the paying customers (taxpayers) get to shed their clothing and pride.

        And I had the humbling experience of my 5oz non-fat yoghurt being confiscated after being "awarded" an "expedited" pass. The lord giveth and shafteth.

        Oh well, I'll wait for complete teleportation to travel again. Then, when the agents stop you there is no more then.

    2. Emperor Zarg

      In spite of all the Franco-bashing that's going on, this is actually a US TSA requirement, not a French one.

      "(Reuters) - The U.S. Transportation Security Administration will not allow cellphones or other electronic devices on U.S.-bound planes at some overseas airports if the devices are not charged up, the agency said on Sunday." [Sunday, 6 July 2014]

  11. It wasnt me

    Wow.....

    Is the news / surprise / story that this happened at the French end of her no enemy rather than the American end?

  12. Tom 7 Silver badge

    Start Button

    they were just looking for a start button.

    1. Roland6 Silver badge

      Re: Start Button

      Like many others I didn't appreciate all that effort MS went to over Fast Startup, but now I see it can help you catch your plane...

  13. RankingRoger
    Joke

    Apparently, they heard someone was running Windows 8

    and wanted to see if it's really true.

  14. Anonymous Coward
    Anonymous Coward

    Unfortunate

    HackerOne compromised full time because some low life did not want to miss flight... so pathetic

    1. MrDamage

      Re: Unfortunate

      Just like how your "insightful" post was compromised because some lowlife (that would be you by the way) decided not to actually read the fucking article, and instead make tinfoil-hatesque statements.

  15. Anonymous Coward
    Anonymous Coward

    Not a problem

    I see no problem what so ever with making some one log on to a PC for airport security. The terrorists are pretty smart and they know that powering up a PC is a common request. Logging on confirms the laptop is likely a functioning PC not a disguised bomb.

    1. Stuart 22

      Re: Not a problem

      "The terrorists are pretty smart and they know that powering up a PC is a common request. Logging on confirms the laptop is likely a functioning PC not a disguised bomb."

      If you think carefully about what you have written you should, if you know anything about laptop construction, quickly work out how to have both a functioning PC and a bomb in the same case. i just hope the average terrorist is even dimmer than me.

      This rule is meant to frighten passengers, not terrorists.

      1. chivo243 Silver badge

        Re: Not a problem

        You beat me to it... C4 will fill lots of spaces nicely!

        ANYONE who takes a bomb on a plane they intend to fly in is really f#ckin dim, I don't care in whose name they are blowing themselves up.

        I see you've read managing sheeple: Keep them scared and keep them guessing.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not a problem

          Yeah... replace the guts with a Raspberry Pi or similar.

      2. elDog Silver badge

        Re: Not a problem

        Just want to correct a small error.

        When you said you hope the average terrorist is "even dimmer than me", I believe you meant "even dimmer than the AC". Hard to dim that lightbulb any further.

    2. Phil O'Sophical Silver badge
      Thumb Down

      Re: Not a problem

      Logging on confirms the laptop is likely a functioning PC not a disguised bomb.

      Really? My Dell laptop has an option for a mini card that boots in a few seconds into a Linux-based environment for reading email. Doesn't use much more of the main PC than the battery, the rest could be replaced with plastic explosive. For that matter, if you can make a laptop-sized bomb you'll likely be more than skilled enough to put a Raspberry Pi and a couple of AA batteries in with it to look the part when you turn on "the laptop".

      As with all this security theatre, it inconveniences the honest travellers while doing absolutely zero to improve security in terms of deterring professional killers.

      1. Matt Bryant Silver badge
        FAIL

        Re: Phil O'Sophical Re: Not a problem

        ".....As with all this security theatre, it inconveniences the honest travellers while doing absolutely zero to improve security in terms of deterring professional killers." There were at least ten successful attacks on commercial airliners in the 1980s before more stringent checks were brought in (http://en.m.wikipedia.org/wiki/Timeline_of_airliner_bombing_attacks). Since the measures were brought in there was not been a single successful bomb attack on a Western airliner this century.

        1. MrDamage

          Re: Phil O'Sophical Not a problem

          "Since the measures were brought in there was not been a single successful bomb attack on a Western airliner this century."

          Unless you count the case in which a few airliners were actually used as the bombs themselves.

        2. dan1980

          Re: Phil O'Sophical Not a problem

          @Matt

          Now, we seemingly always disagree but presumably we can agree that there is something of a continuum between a free, but lawless state and an authoritarian police state.

          Presumably we can also agree that both freedom and safety are good.

          So, where disagreement comes in is the point on that continuum that we consider to be best for society. Where a little of one can be traded for a lot of the other, this is often a worthwhile thing, though the VERY important caveat there is that there is no objective measure of what constitutes a 'little' freedom. Requiring people to carry photo ID at all times and be required to present that to any official when requested may seem to some to be a small price to pay for whatever increase in safety might comes from it. However, someone who experienced apartheid in South Africa and the system of internal passports that effectively made them black South Africans aliens in their own country, well, they might have a different view of that.

          The simple truth is that safety - even real safety - is not self-evidently or objectively better than freedom and so simply saying that actions X, Y and Z have lead to a decrease in some problem (and thus an increase in safety) is only an argument that the measures were effective in some quantifiable way. It does not necessarily follow that the measures are actually worth the price being paid.

        3. Phil O'Sophical Silver badge

          @Matt Re: Phil O'Sophical Not a problem

          There were at least ten successful attacks on commercial airliners in the 1980s before more stringent checks were brought in

          The best checks are the ones behind the scenes that neither we nor the terrorists know about. Those are the ones that stop most attacks.

          I grew up in Belfast, I dare say I have a great deal more personal experience of the ineffectiveness of security theatre, and the difficulties of really stopping terrorist attacks, than you have.

          1. Matt Bryant Silver badge
            FAIL

            Re: @Matt Phil O'Sophical Not a problem

            "....I grew up in Belfast...." Did they have many suicide bombings in Belfast then? How about IRA or INLA bombings of airliners? Oh, no, they didn't. Indeed, the IRA often made warning calls to avoid civilian casualties so as to not upset their US donors. But the Islamists want as many casualties as they can get. Whilst awful, the Troubles led to 3530 deaths on all sides over just short of thirty years. AQ nearly topped that in a single day.

            "....I dare say I have a great deal more personal experience of the ineffectiveness of security theatre, and the difficulties of really stopping terrorist attacks, than you have." You must have because what you call "security theatre" I see as having been very effective, as showed in the link I included. I used to see it in countries like Israel where searching of bags going into shopping malls and at bus station queues was the norm, let alone at airports, because Israel had plenty of experience of such attacks aiming to kill anyone in range. Ironically, such "security theatre" is also now being providing for hotels in Turkey, Egypt, Dubai and Bahrain.

            1. Phil O'Sophical Silver badge

              Re: @Matt Phil O'Sophical Not a problem

              Did they have many suicide bombings in Belfast then?

              Not intentionally, even the IRA weren't that dedicated. Not so many virgins waiting for them in the marxist republican hereafter, I suppose. They preferred the proxy technique, locking civilians to bombs and forcing them to drive to targets.

              How about IRA or INLA bombings of airliners? Oh, no, they didn't.

              Only once, although they fired mortars at airports on several occasions, but there aren't very many internal flights in NI. Trains, buses, they were bombed, frequently. Despite the security theatre.

              Indeed, the IRA often made warning calls to avoid civilian casualties so as to not upset their US donors.

              Eventually, after the public reaction to murders like the Abercorn, La Mon, etc.

              the Troubles led to 3530 deaths on all sides over just short of thirty years.

              In a population of 1.5m.

              AQ nearly topped that in a single day.

              One incident 13 years ago, in a population of 250m, and you're still talking about it. There are twice as many firearm killings and 10x as many traffic deaths in the US, every year.

              what you call "security theatre" I see as having been very effective, as showed in the link I included. I used to see it in countries like Israel where searching of bags going into shopping malls and at bus station queues was the norm,

              Yes, it was the norm in Belfast too. Every large store had someone at the door whose job was to search bags. It might have found someone with a few kg of explosive linked to a timer, or a sputtering fuse, but almost all attacks on such buildings were through firebombs that were the size of, and often hidden in, cigarette packets. The "searches" never stopped those. Ask the stores why they still employed the security staff and the reponse was simple - after an attack one of the first questions the damage assessors asked was what precautions were taken. Not "searching" bags would mean that the store would be considered negligent, and lose much or all compensation. Pure theatre, on the CYA principle.

              Alert people and good behind-the-scenes intelligence was what stopped the serious attacks, not the disruption to everyday life that we eventually realised was pointless.

              1. Matt Bryant Silver badge
                Facepalm

                Re: Phil O'Sophical Re: @Matt Phil O'Sophical Not a problem

                "....Not intentionally, even the IRA weren't that dedicated...." So that's a "no" then.

                "....Only once, although they fired mortars at airports on several occasions, but there aren't very many internal flights in NI...." So that's another "no". Oh, and the IRA carried out operations in many European countries with commercial flights to the US, so they did have the opportunity and means even if they didn't have the motive to carry out airliner bombings. Next!

                "....One incident 13 years ago....." You'll find quite a lot of new regulations come in after "one incident", such as changes to fire safety after the Kings Cross Fire (http://en.wikipedia.org/wiki/King's_Cross_fire), or the Lockerbie Bombing led to changes in baggage handling security.

                "....but almost all attacks on such buildings were through firebombs that were the size of, and often hidden in, cigarette packets...." Designed to damage property rather than bring down a jet and kill all its passengers. Just a bit different in scale and intent.

                The current "security theatre" is very effective, as the link I posted shows. AQ has had to resort to such bizarre scams as using PETN in shoes (http://en.wikipedia.org/wiki/Richard_Reid which led to more stringent checks on shoes at airports), and underwear (http://www.telegraph.co.uk/news/worldnews/al-qaeda/10989843/Underwear-bomber-plot-failed-because-he-wore-same-pants-for-two-weeks.html - which led to more use of body scanners).

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Phil O'Sophical @Matt Phil O'Sophical Not a problem

                  AQ has had to resort to such bizarre scams as using PETN in shoes ...and underwear

                  Both of which failed, despite not being spotted by the performers at the checkpoints.

                  Security theatre is effective only in:

                  a) Frightening passengers into accepting more curbs on their liberties (I see MI5 this morning are crying that the Charlie Hebdo attack could be repeated in London if the ISPs don't agree to provide more acces to everyone's internet traffic).

                  b) Supporting the terrorists, who see that their efforts bear fruit.

                  it achieves nothing in terms of actual extra security.

            2. Anonymous Coward
              Anonymous Coward

              Re: @Matt Phil O'Sophical Not a problem @Matt Bryant

              Personally I have a lot of respect for the Irish paramilitaries, who really understood terrorism. It was obvious from when the first images of what would become "9/11" were being streamed round the world, the terrorists behind it were a bunch of amateurs compared to the IRA. Given the way the US reacted, if the IRA had been involved the US would most probably still be "in therapy".

              I still marvel at seeing litter bins and left luggage lockers in public places, things that just didn't exist through much of my growing up. Yet even now, I won't go near an unattended bag...

              Finally Matt you are missing the main point, the IRA's 'enemy' wasn't "western culture" but the British government, so they chose appropriate strategies.

              1. Matt Bryant Silver badge
                Facepalm

                Re: AC Re: @Matt Phil O'Sophical Not a problem @Matt Bryant

                ".....Finally Matt you are missing the main point, the IRA's 'enemy' wasn't "western culture" but the British government, so they chose appropriate strategies." No, that is exactly the point I was trying to make - comparing the Troubles to the current Islamist threat is pointless because the two sets of terrorists have such widely different goals and strategies. Could you seriously imagine two IRA members shooting the staff of Charlie Hebdo for publishing offensive cartoons of the Pope (which they have done in the past)? Ever think the IRA would try hijacking airliners and crashing them into Westminster? No. One of the problems with those that bitch about "security theatre" is they use Western values when trying to understand the Islamist mindset, massively underestimating the threat.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: AC @Matt Phil O'Sophical Not a problem @Matt Bryant

                  Could you seriously imagine two IRA members shooting the staff of Charlie Hebdo for publishing offensive cartoons of the Pope

                  Just demonstrating your ignorance again, Matt. The IRA was not a "catholicist" terror organization, they came from the secular marxist anti-colonialist background of Sinn Féin. They would no more care about an insult to the Pope than they would about one to Mohammed.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: AC @Matt Phil O'Sophical Not a problem @Matt Bryant

                  "Could you seriously imagine two IRA members shooting the staff of Charlie Hebdo"

                  No the IRA would of either knee capped them or made their families disappear...

                  The IRA know how to use terrorism for political ends, whereas the current "Islamist terrorists" are operating at a much lower level of sophistication. But then it did take the IRA many decades to reach the level of maturity we witnessed in the 80's and 90's...

                  Yes we underestimate the threat but part of that is because we have tended to use simplistic labels to lump things altogether - hence we have largely created al qaeda, ISIS et al because we wanted to see a wood rather than see the trees. Hence we have created organisations when in fact what we are dealing with is largely small groups of gangsters and hoodlums. Interestingly, from the evidence so far it would seem those involved in the Charlie Hebdo shootings are exhibiting a very Western sense of self preservation...

    3. hplasm Silver badge
      Meh

      Re: Not a problem

      pah!

      sudo apt-get install boomex.

      sudo ./boomex

    4. TimeMaster T

      Re: Not a problem

      I can put an functional OS, Linux or windows, on a 32GB flash drive physically small enough to be overlooked during an inspection, leaving the HD bays free for other cargo.

      Booting a laptop, even to a full desktop, proves nothing,

      1. Tom 13

        Re: Booting a laptop, even to a full desktop, proves nothing,

        It does when it's followed by an Earth Shattering Ka-a-boom!

        Unfortunately, at that point it's probably meaningless to the security git, the bomber git, and all the poor gits in the immediate vicinity.

        1. admiraljkb
          Joke

          Re: Booting a laptop, even to a full desktop, proves nothing,

          > Unfortunately, at that point it's probably meaningless to the security git, the bomber git, and all the poor gits in the immediate vicinity.

          Sounds like a git push? You know this wouldn't happen on SVN. ;)

        2. Matt Bryant Silver badge
          Stop

          Re: Tom 13 Re: Booting a laptop, even to a full desktop, proves nothing,

          ".....Unfortunately, at that point it's probably meaningless to the security git, the bomber git, and all the poor gits in the immediate vicinity." Just stop and think for a second - small bomb goes off in open plan airport lounge, minimal damage, possible a handful of fatalities and the injured are ensured almost immediate assistance and treatment. Given that the case of a laptop would not allow for a really heavy bomb you might escape completely uninjured even if standing within meters of the event. If you are an innocent passenger queuing to board then your chances are pretty good. Now compare to if the bomb is exploded in a pressurized cabin, whilst the aircraft is over the ocean, probably either held against the cabin wall to maximize the resulting fuselage damage or sited over a wingroot to target the fuel tanks - the result is an hundred-plus passengers and crew all die and their bodies may not even be recovered for burial. Whilst neither outcome is desirable, I'd sure settle for the former rather than the latter option.

          1. Phil O'Sophical Silver badge

            Re: Tom 13 Booting a laptop, even to a full desktop, proves nothing,

            Whilst neither outcome is desirable, I'd sure settle for the former rather than the latter option.

            I wouldn't.

            Think for a moment. The whole object of a terrorist attack is to frighten people into doing something that the terrorists can't actually achieve themselves. The main damage from 9/11 wasn't the immediate effect of the crashed planes, it was the months of economic harm done afterwards by people too scared to fly, and the spread of that nervousness to the markets. I was on a 747 to the US a few weeks after 9/11, it was empty, maybe 50 people on the whole aircraft.

            Set off a bomb in a departure lounge at Heathrow and you close Heathrow for a day at least, and that terminal is out of action for a week or more while forensics and then construction crews work. You also terrify people who were taking flights to places completely unconnected with the political event that lay behind the bomb, and put them off airports in general. Result is huge economic damage far beyond that one small incident.

            Blow up one plane and you certainly kill all the people on that flight, and perhaps frighten some people off getting on another flight to that destination for a few weeks. Overall the impact is far less. Clearly that is of no consolation to the families of those killed, but in terms of achieving the aims of the terrorists the former is a far more effective approach. Terrorism is not about the act, it is about the fear the act causes.

    5. dan1980

      Re: Not a problem

      @AC

      "I see no problem what so ever with making some one log on to a PC for airport security. The terrorists are pretty smart and they know that powering up a PC is a common request. Logging on confirms the laptop is likely a functioning PC not a disguised bomb."

      Like you said: "terrorists are pretty smart". The point that many people make is that, because terrorists are smart (not to mention usually well-funded), they are able to work around many of the counter-measures that are put in place.

      The point is, in this case, that if you are going to the trouble of booting to some dummy system then it really isn't that much more effort to boot to a dummy Windows system so if you can do the former, you can (and probably would) do the latter.

      So, in the end, you do nothing to really catch someone who has gotten that far (to the boarding gate!)

      It comes down to a compromise between freedom and privacy on the one hand and safety on the other. Sacrificing a little of the former for a lot of the latter is generally considered a good idea but we have long passed the point of diminishing returns where we are asked to give up more and more of our privacy of smaller and smaller increases in safety.

  16. PLAzmA

    Simples they already imaged the drive previously, why she slept or what ever, got stumped by the encryption and needed the password and now she handed it over... Surprised someone like this doesnt use some form of two factor (ubi key or what ever).. Now the frogs have all your 1's n 0's in plain text.

  17. W. Anderson

    Arrogance in play

    Ms. Moussouris has no knowlede that the French Customs Agent exceeded their authority, and it's incredulous that many comments on this article chose to denigrate the French - in this instance, and many other non-USA or Non-British authorities about such national matters from perspective of gross arrogance and probable ignorance.

    Any UK negative commerters on the French in this case need to understand clearly that Americans generally consider them to be just as doofus on matters of technology or government policy when US citizens face situations in UK they do not like or appreciate, and do not understand. That (false) superiority complex or "American Exceptionalism" mentality in play.

    Such is the state of crass diplomatic attitudes, particularly emminating from those West of Atlantic Ocean, and between Canada and Mexico.

    1. L05ER

      Re: Arrogance in play

      so... what people need to understand is that all nationalities have the same bullshit superiority complex?

      man i wish someone would have told me people were people before...

    2. MissingSecurity

      Re: Arrogance in play

      And what, prey tell, does checking that a laptop turns on and boot to the OS achieve? If you're using this example as a means to show how the French are excelling at technological policy, I'm left wanting.

    3. Anonymous Coward
      Anonymous Coward

      Re: Arrogance in play

      They are not French Customs Agents. You don't meet any French Customs Agents on your way out of the Schengen area. There is a single Border Police check, that's it. You meet Customs sometimes on your way in, but they're not in charge of security, they're in charge of checking for illicit importations (drugs, counterfeit products, undeclared goods).

      Boarding US-bound flights, there are additional security agents, specific to those flights. On whose authority they're acting, I have no idea. Airport? Airlines? But they're clearly there at the request of US authorities, and they present themselves as such.

  18. Message From A Self-Destructing Turnip

    Ego tits?

    Could it be that Ms. Moussouris did not initaly display the expected decorum, and the French agent simply upped the ante to put her in her place. Very common practice with official types. Alternatively getting someone to log on to their laptop would be a simple method for checking that it actually belonged to them. Or maybe I need to re-stock the tin foil.

    1. Anonymous Coward
      Joke

      Re: Ego tits?

      Maybe her 'I do not understand' shrug when asked to logon wasn't sufficiently gallic enough?

  19. Christian Berger Silver badge

    Unfortunately it's a good idea to not have any data on your laptop when you pass an airport

    A clean install of your operating system should be the best state for your laptop to be in... which is BTW also not a bad idea when you go to such a hacker conference. Though hackers are the most friendly and nice group of people I've met, there always is the chance of someone accidentally running an exploit against your machine.

  20. Anonymous Coward
    Anonymous Coward

    Seems to me it would make sense to have two encrypted systems on your laptop. One you decrypt for assholes like this guy and the other you really use.

  21. Anonymous Coward
    Anonymous Coward

    If this had happened in the US or Canada, at the border

    A copy would probably have been taken. I'm guessing the security official wasn't familiar with the (PGP?) login screen, hence the request. I doubt any harm was meant.

    Once again boys and girls! When you want to transport sensitive data across borders, don't! Do it using those new fangled interwebs instead (and preferably from your own or your employer's storage) once you arrive at your destination.

    1. David 14

      Re: If this had happened in the US or Canada, at the border

      No... they would not "take a copy". My own experience in this exact situation in border control in Ottawa was that they simply do basic searches on the "unlocked" computer for images and videos and then browse through them for illegal images (child porn and the like).

      It works, too.... there have been many arrests of dirtbags trafficking in child porn and other similarly repugnant garbage... many of these have been quite publicized, including a Catholic priest with child porn that happened back about 4 or 5 years ago... the searching of encrypted and other media is not new.

      1. Greg J Preece

        Re: If this had happened in the US or Canada, at the border

        No... they would not "take a copy". My own experience in this exact situation in border control in Ottawa was that they simply do basic searches on the "unlocked" computer for images and videos and then browse through them for illegal images (child porn and the like).

        Happened to me several times after inadvertently ending up in the naughty queue at a Canadian airport. They ask you to log into the system and then they go rifling through it. Of course, they do that in another room where you can't see what they're doing, which I think is complete BS considering their willingness to go through phones in front of you. They didn't ask me to decrypt anything though, just log in.

      2. RandomCanuck

        Re: If this had happened in the US or Canada, at the border

        Check your facts. The US Border and Customs agents are fully able to copy your data for further, more detailed analysis. They do it often...

        Read about what they do via the EFF: https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices

    2. tom dial Silver badge

      Re: If this had happened in the US or Canada, at the border

      "Transport sensitive data across borders ... using those new fangled interwebs". Right past the NSA, GCHQ, FSB and other communication taps. What could go wrong with that?

  22. Keven E.

    Electronics "x-ray" table

    Aren't there sophisticated enough "scanning" devices to see what electrical currents (even minute amounts) are active, so, therefore, booting a device all the way *electrically engages the hard drive, the video card, the motherboard, the nic/wifi interface, the screen... sufficiently exposing the % of the innards of a machine and all of the physical masses and pathways as electricity flows through it?

    <tinfoil>

    Not that that doesn't leave room for explosive stuff I suppose, but.

  23. David 14

    Foreign laws versus Customs and Border Protection

    I have had an encrypted laptop searched when re-entering Canada by customs agents... except they absolutely searched the data on the machine. In answer to my courteous and respectful questions as to the purpose of the search request, I was informed that it was for illegal content such as child pornography.

    I chose to allow the search and unlocked my device... I did so as it was an agent of my own Government, and I felt comfortable that the corporate data was not at risk.

    I questioned my company's lawyer who basically said that I has 2 choices - allow them to search it, or they could seize the laptop and potentially (unlikely) refuse me re-entry in to Canada. When re-entering a country, you are not YET under normal laws and protection against search and seizure.

    But, a regular "security" agent or law enforcement, for that matter, in Canada would not be able to seize and search a computer without cause.... and domestic travel is not, to my knowledge, cause to do so.

    I will provide advice that I received: if you don't want a foreign official to be able to see it, leave it home. Period.

    My $0.02

  24. Wanting more

    Good job...

    ...she didn't have an icon for minesweeper on the desktop

  25. shovelDriver

    Never Left Your Possession, Huh?

    Bear in mind that your device does not have to leave your possession; there are ways to clone drives from a distance. Why did the official ask you to type in your password? Well, there are more than just a few means of intercepting keyboard impulses, so the probability is high that "they" now have the password. Changing it after the fact- if they have indeed cloned a drive - is useless for all the data that is already stored on the drive.

    1. Anonymous Coward
      Anonymous Coward

      Re: Never Left Your Possession, Huh?

      "there are ways to clone drives from a distance...."

      Powered-off and without touching the device itself? Please elaborate since Google's turning up a blank.

  26. The Other Carl

    Stolen?

    Just a thought... Perhaps there was a laptop stolen in the airport that day, and this was an easy way to see if she owned it? Seems plausible at least.

  27. T J

    Disgusting behaviour

    Disgusting behaviour by the airport security apparatchik. An enquiry should happen, whether it reports or not - this should be high news.

    But yes - don't let some little turd in a uniform compromise your data. Encrypt it on a hidden volume behind a guest account. OR, store your data client-side encrypted online somewhere, and grab it after you've got where you're going - this is what govfuckwiterments have reduced us to.

    Fortunately while they are busy slamming each others' dicks in the door and snorting cocaine, they physically can't legislate the laws of mathematics.

  28. Wzrd1

    Way back before 9-11, way before then

    My mother was supervisor for the contracted pre-departure security for a major US airline. She and her team had regular briefings on the current threats, interestingly enough, many that I had as well for military counterterrorism operations.

    She had related how a recent threat had arose where laptops could appear to be normal laptops, even appear to partially boot up, but if the login was entered a bomb detonated.

    So, the security measure that was so wisely adopted was to force the user to login at the checkpoint. You know, where the passengers and security personnel would still be safe in the case of a detonation.

    Hey, *she* didn't make that call, the FAA did. :/

    But, that is a true story from the late 1990's.

  29. JJKing
    Facepalm

    "terrorists are pretty smart".

    But they still blow themselves up for a deity that doesn't exist so they can get 72 raisins in a place that also doesn't exist. How can that be smart?

  30. Anonymous Coward
    Anonymous Coward

    USA has been doing this for years

    Katie Moussouris should check with her own country's policies before bad-mouthing others. Read about what the USA does courtesy of the EFF: https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices

  31. Anonymous Coward
    Anonymous Coward

    This is only on US orders, for US-bound flights

    As a frequent user of the Paris' airports, let it be clear: this special treatment is reserved for people flying to the US. There is a special, additional security check before boarding that will have some more requests, open your luggage, point at random things and ask what's inside (and if you don't remember immediately, they'll ask you to open it). It's been in place for more than a decade, following the 2001 attacks.

    Flight to other countries, European or otherwise, do not get that.

    If your destination is European, you can often board a plane without showing your ID card even *once*.

    So please, no French-bashing here, they're doing the security circus that Americans are telling them to do. Good that it hit a semi-celebrity at last so that annoyance finally reach the news...

  32. Anonymous Coward
    Anonymous Coward

    An interesting exercise

    Possibly incompetence on the part of officialdom - but maybe not.

    I imaging that it would not be too difficult these days to make a laptop that appeared to power up and operate yet without a hard-drive ... and hard drives are dense metally things that x-rays don't go through too well - rather like other dense things that can go pop.

    1. Anonymous Coward
      Anonymous Coward

      Re: An interesting exercise

      Hard drives may be dense and metallic...but the housings usually aren't wholly metallic, plus due to design necessities, you can expect the interior to feature certain features in their x-ray silhouettes, like the platters. You can search and find x-ray images of hard drives. Trying to make explosives look like a bunch of authentic hard drives platters that can match that x-ray silhouette would be too elaborate and prone to breaking (some explosives can be solid, but not that solid).

  33. paulc

    time for deeper measures...

    our laptops are purely used as dumb terminals via our company VPN

  34. Anonymous Coward
    Anonymous Coward

    Hang on ...

    suppose ... just suppose ... that the laptop in question, whilst under the physical control of the passenger, isn't actually theirs ? Meaning they WOULDN'T KNOW the login details.

    It could be a team/support laptop that was bought along "just in case" but not all the team know (or need to know) the login.

    1. Matt Bryant Silver badge
      Facepalm

      Re: AC Re: Hang on ...

      ".....Meaning they WOULDN'T KNOW the login details....." In such a case the result is you are not allowed to take the device onto the aircraft unless you can power it on and show it is a working device. You will be given the choice of proceeding without the item or not boarding. If you are lucky you might be allowed to open the device to show the interior components, but it is far more likely you will be forced to wait for a detailed examination by a police/TSA techie or the bomb squad (http://www.cnn.com/2014/07/06/us/tsa-security-measures/index.html). And not being able to power on the device will lead to additional screening measures (possibly including graphite grease and rubber gloves!).

  35. Anonymous Coward
    Anonymous Coward

    Making sure it's not a fake laptop containing a bomb?

    Just powering up isn't enough, it might be playing a video or showing a picture.

  36. Hans 1 Silver badge
    WTF?

    This is US Regulation, FFS

    1. US has this brain-dead regulation that says that on outbound flights to the US, electronic devices must be checked (turned on) by security personnel.

    2. She might have had Linux installed, which the airport security staffer has probably never seen (they do not go to libraries much). Or the Windows/OS X logo was not displayed before decryption.

    Why is this news ? The French are actively trying to comply with US legislation, maybe a tad zealous, but hey ... as for the privacy moaners ... what personal data does a a login screen expose, exactly ? A custom background image, maybe ?

  37. Leeroy Bronze badge

    wrong checks

    This happened to me when leaving Canada in 2003.

    I had to power up the laptop and log onto it. To be honest I was a bit miffed at having to go through security at all as it was an RAF flight to the UK with a lot of squaddies on board. We all had our SA80's in our possession and they didn't go through the xray machine or check for loaded rounds. They did however confiscate numerous plastic sporks, multi tools random items including a rabbit skin and a pair of pliers.

    Jobsworths.....

    I should add that we got all the stuff back when we landed, they even wrapped the sporks up and had a printed label with our names on ha ha.

  38. Bob Dole (tm)

    Are we sure the person that pulled her aside was actually a customs agent?

    I can just see a hacker group copying her hard drive when she was away from it, then needing the password to decrypt the copy.

  39. Sergey 1
    Pint

    Though that's what they do to a percentage of passengers flying westbound across the Atlantic.

    Happened to me in the UK.

    Looks like nothing to do with France, it's the US that requests this measure.

  40. Matt Bryant Silver badge
    Stop

    Yawn.

    The real problem here is Katie Moussouris is (a) such a geek she didn't know about the additional security measures on European-to-US flights, and (b) such a self-centered narcissist that she assumed the check was down to her being such a VIP (in her own mind anyway). Throw in the usual paranoia about "The Man" and you arrive at the current fuss.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019