Cunning
With the French government you are never sure if it is incompetence, malice, both or neither
Paris airport security went one step further than simply asking a security expert to power up her laptop - they requested she type in her password to decrypt her hard drive and log into the machine. Katie Moussouris, chief policy officer at HackerOne, and best known as the woman behind Microsoft's Bug Bounty Program, was en …
It's long been known that if you take a computer through international security, you may be asked to power it up and show it to the officials.
In the days of almost ubiquitous high speed internet, there are few reasons to leave any sensitive data on your machine - load it to your /private/ cloud (which someone in her job would have), wipe any trace off the machine - the o/s isn't going to be secret, and any necessary tools can be added to the cloud blob, smile sweetly at the security jobsworth - and we'd better face it, they are becoming, or maybe have become, the default - do what they ask, provide a forensic image if necessary, travel onwards to your destination, grab a latté with your colleagues as you download the aforementioned binary blob at your leisure.
This is going to happen more and more - get used to it, and plan for it. It's not (quite, nearly, almost) the end of the world...
You don't need to be paranoid to be aware that folk are out to be officious...
But how to retrieve the data from that private store? Username and password over https? NSA may like that. Use password protected ssh key? The most likely method but then that means your private key needs to be on that laptop albeit password protected. How secure is that these days? I'm not sure.
"In the days of almost ubiquitous high speed internet"
I would like to know what world you are living in which has this almost ubiquitous high speed internet?
Sure in the UK I can rely on my 3G, and I have a decent provider so I don't pay a fortune for ever GB... but traveling? have you ever seen roaming charges??
Yes if your doing something that needs minimal data, its fine, but the cloud is only as good as your internet, and internet can be very very spotty...
In the days of almost ubiquitous high speed internet, there are few reasons to leave any sensitive data on your machine - load it to your /private/ cloud (which someone in her job would have), wipe any trace off the machine - the o/s isn't going to be secret, and any necessary tools can be added to the cloud blob, smile sweetly at the security jobsworth - and we'd better face it, they are becoming, or maybe have become, the default - do what they ask, provide a forensic image if necessary, travel onwards to your destination, grab a latté with your colleagues as you download the aforementioned binary blob at your leisure.
Data on your physical device: incidental exposure to nosy officials which you can manage with a crypto section
Data in a private cloud: you are one coding mistake away from every jerk on the planet having a go at your data.
I know what I would choose.
@PCS
It is news. Specifically, it is news of a tech/IT bent and one with a particular focus on security and privacy - an area which is generally rather important to people here.
And here's the thing - not all of us fly internationally for business and so may not realise the extent of this paranoia and what may happen to them.
The passenger in question clearly flies about a bit and was aware that turning on a laptop to prove it's real and operational is a relatively standard procedure. Asking her to actually log in, however, was a first for her and not something she had seen before. It stands to reason that it will therefore be something many others would alos have been unaware of.
Now, presumably this is not actually common practice but what it shows is that it can happen. The benefit of knowing that this potential exists is that people can take appropriate steps.
Ms. Moussouris had her laptop encrypted and this was enough for her purposes. Now that she is aware of this potential, on presumes she will change her setup so she has either a hidden drive or have data encrypted separately. Others can do the same now that they know this is a possibility.
But of course EVERYONE encrypts everything like this already so this information is useless and anyone who doesn't is clearly an idiot so not worth helping. Right?
Asking her to actually log in, however, was a first for her and not something she had seen before.
She used to work for Microsoft though, didn't she? I am curious because I used to work for another huge multinational computer company (say, 10 years ago) and I used to travel internationally with a company laptop with sensitive data on it, including code, presentations, plans, etc. The disk was fully encrypted, it wouldn't even boot without a password.
The official company guidelines were, if you are stopped at any border, airport, etc., and are asked to boot your laptop and supply your passport - comply without arguing. If they want to take your laptop - surrender it without delay. No corporate data on your laptop is precious enough to make the hassle of getting you out of trouble worthwhile.
I would naively assume Microsoft would have similar guidelines. Maybe she didn't get the memo?
@T.F.M Reader
"I would naively assume Microsoft would have similar guidelines."
Quite possibly and maybe she was following them when she complied with the request to login. But that is not the point of any of this, which is simply that this represents a relatively new development - at least to the person in question and, given she presumably travels with a laptop a fair bit, one can expect that many less-frequent travellers were similarly unaware.
Now, thanks to her blog (and various outlets like this commenting on it), more people know what they can expect or at least prepare for.
I couldn't quite fathom her surprise...
Moussouris attributes the whole "unsettling" experience to an "Inspector Clouseau" type official exceeding her authority in checking that a computer was operational rather than anything more sinister.
Unsettling? Surely she has encountered the TSA and their drive copying practices?
That was my thought, that they wanted to record her password for whatever reason. I'm guessing that as she is a security expert she has now changed it, and it was never the same as anything else of importance.
What is a bigger worry is they have copied the encrypted HDD at another time (while sleeping, etc) and they wanted that to get access to it.
As another commentard has pointed out, best to have a 2nd account to demo a machine works so you don't have to decrypt your own files (assuming per-account encryption and not just full-disk).
Hmm, might need a tighter tinfoil hat now...
Nah, use FDE so they can see that password but as you say use a dummy account. Your real partition has another layer of encryption so even if they do copy your encrypted disk while you're sleeping and use pinhole cameras to steal your password, you'll be long gone before they decrypt their stolen copy of your drive and login to your dummy account and find it is bog standard unmodified and unpatched (why bother?) Windows 7, but there's a lot of space left on the hard drive that wasn't accounted for...
That was my thought, that they wanted to record her password for whatever reason
That's an easy one, it just requires some foresight: you change your password not once but twice: once right before you go to the airport and once after (if they made you log in) - that way, whatever they may have copied will not be accessible with the "temporary" password they may glean at boarding...
This post has been deleted by its author
Sure, but wouldn't her next step before connecting to the internet unprotected (and in a place where her keystrokes assuredly would NOT be recorded) be to change her now-potentially-exposed login password?
It would be for me, and I'm probably not half as security-conscious as her.
My former employer, an independent school, blocked all employees taking workplace devices with them when they travelled to France.
You can be made to decrypt data, under their laws, and the question of how that's compatible with EU data protection or whether you can get in trouble in the UK for such data access (if they then took the laptop off you, you could be construed as having "provided access" to it) is one of those "interesting for solicitors" questions.
Instead, it was easier to just say that employees mustn't do it. Instead, a small smartphone with no data on it was given out for the taking of photos etc. on the school trips, but it still leaves the question of what impact that would have on child protection, data protection etc. if you were forced to hand it over.
The excuse/justification for the law is to catch paedophiles and terrorists. You do not have to provide your password - just can spend 5 years in prison instead. Of course, 5 years is less than a likely sentence for paedophiles or terrorists.
If you need to take Snowden2 data abroad, do not carry it with you. Encrypt it, put it on the net, travel, download, recrypt with a new key and shred all your copies of the old key.
"I take it you know you can be forced to decrypt any device in the UK?
DPA and all EU laws have exemptions for law enforcement and security."
If the UK legal authorities ask me to decrypt a device with UK data, and I do so, I'm immune under the UK DPA.
If the French authorities demand it, I may not be, especially if their laws differ.
Additionally, although it's supposed to be EU-wide, it's not a level playing field. This is the problem. Not that a policeman might want to see my data, but that if I TAKE my data and they need to see it, I can potentially still get into trouble even though I'm complying with local laws all the time.
Comply with French law sometimes = break UK law.
They will if they image the drive, see things they can't understand, and pass it to forensics to figure out...
The whole point of a Truecrypt-style hidden volume is that in its encrypted state it should be pretty much indistinguishable from unused space filled with random noise. There is nothing to "find". Not even Truecrypt itself can tell you whether there actually is something there or not until you give it the proper key. The only giveaway would be the user getting visibly reluctant to carry out a full wipe of the allegedly "empty" space - but that would only happen if there was no backup of the data somewhere else which would be stupid anyway.
My former employer, an independent school, blocked all employees taking workplace devices with them when they travelled to France.
I don't think it is limited to France in any aspect. More like, the French do it, too. And probably your average French doesn't realize it (since it is unlikely they do it to many of their own citizens when they come home from a foreign trip).
Ironically, I once met a French guy who had been asked to boot his laptop when he had arrived at a foreign airport. He played French, saying it was his laptop, they had no right, Liberte, Egalite, etc. Full body search followed. Even then his reaction was, "I will never go to THAT COUNTRY again!" I tried to convince him the situation was not geography-specific, not sure I succeeded.
If my work laptop is anything to go by, the whole disk encryption software login interface would look entirely unfamiliar (and possibly even a bit suspicious, in a Fisher Price sort of way) to large swathes of the public. I'm assuming the Security Officer was simply looking for something Windows-ish that she could identify with to assure her this wasn't some sort of mock up.
>Yep. I guess 'Woman Made To Prove Laptop Worked At Airport' wouldn't be as interesting a headline
Why does it matter if it works? What if it broke whist travelling? Let's say or wonderfully reliable SSD just gave up without warning and now you just see some text about missing boot devices? Are you supposed to their away your otherwise fine laptop? Are you supposed to fart around trying to sort out warranty claims whilst abroad?
Officialdom gone mad is the kindest way to put it. Time for hidden volumes when travelling to France I suppose...
My roommate has an interesting observation about this little exercise:
"You do realize that if I WERE actually a suicide bomber and the laptop was a bomb, you would have just ordered me to detonate it here, right?"
Since he made this observation none of the guards have since asked anyone to turn on largish electronic devices at the gate. But then he works somewhere that such things are a serious security concern as opposed to the Kabuki theater they are at airports.
Here's another observation about the pointlessness of this process.
Everything that "security specialist" saw in "verifying" the laptop could have been performed by a board the size of a credit card or smaller, leaving a large amount of space on the laptop's body for whatever nefarious purpose a person would like. In fact, it could be a fully functional computing device, kinda like those...whadda ya call 'em...oh yeah! smartphones
I've long lobbied for what was National to be relabeled Reagan/BluePlains (named after the proximate sewage treatment plant - http://www.dcwater.com/wastewater/blueplains.cfm).
And of course, Dulles International - the quickest way for privileged oligarchs to slip through customs while the paying customers (taxpayers) get to shed their clothing and pride.
And I had the humbling experience of my 5oz non-fat yoghurt being confiscated after being "awarded" an "expedited" pass. The lord giveth and shafteth.
Oh well, I'll wait for complete teleportation to travel again. Then, when the agents stop you there is no more then.
In spite of all the Franco-bashing that's going on, this is actually a US TSA requirement, not a French one.
"(Reuters) - The U.S. Transportation Security Administration will not allow cellphones or other electronic devices on U.S.-bound planes at some overseas airports if the devices are not charged up, the agency said on Sunday." [Sunday, 6 July 2014]
"The terrorists are pretty smart and they know that powering up a PC is a common request. Logging on confirms the laptop is likely a functioning PC not a disguised bomb."
If you think carefully about what you have written you should, if you know anything about laptop construction, quickly work out how to have both a functioning PC and a bomb in the same case. i just hope the average terrorist is even dimmer than me.
This rule is meant to frighten passengers, not terrorists.
Logging on confirms the laptop is likely a functioning PC not a disguised bomb.
Really? My Dell laptop has an option for a mini card that boots in a few seconds into a Linux-based environment for reading email. Doesn't use much more of the main PC than the battery, the rest could be replaced with plastic explosive. For that matter, if you can make a laptop-sized bomb you'll likely be more than skilled enough to put a Raspberry Pi and a couple of AA batteries in with it to look the part when you turn on "the laptop".
As with all this security theatre, it inconveniences the honest travellers while doing absolutely zero to improve security in terms of deterring professional killers.
".....As with all this security theatre, it inconveniences the honest travellers while doing absolutely zero to improve security in terms of deterring professional killers." There were at least ten successful attacks on commercial airliners in the 1980s before more stringent checks were brought in (http://en.m.wikipedia.org/wiki/Timeline_of_airliner_bombing_attacks). Since the measures were brought in there was not been a single successful bomb attack on a Western airliner this century.
@Matt
Now, we seemingly always disagree but presumably we can agree that there is something of a continuum between a free, but lawless state and an authoritarian police state.
Presumably we can also agree that both freedom and safety are good.
So, where disagreement comes in is the point on that continuum that we consider to be best for society. Where a little of one can be traded for a lot of the other, this is often a worthwhile thing, though the VERY important caveat there is that there is no objective measure of what constitutes a 'little' freedom. Requiring people to carry photo ID at all times and be required to present that to any official when requested may seem to some to be a small price to pay for whatever increase in safety might comes from it. However, someone who experienced apartheid in South Africa and the system of internal passports that effectively made them black South Africans aliens in their own country, well, they might have a different view of that.
The simple truth is that safety - even real safety - is not self-evidently or objectively better than freedom and so simply saying that actions X, Y and Z have lead to a decrease in some problem (and thus an increase in safety) is only an argument that the measures were effective in some quantifiable way. It does not necessarily follow that the measures are actually worth the price being paid.
There were at least ten successful attacks on commercial airliners in the 1980s before more stringent checks were brought in
The best checks are the ones behind the scenes that neither we nor the terrorists know about. Those are the ones that stop most attacks.
I grew up in Belfast, I dare say I have a great deal more personal experience of the ineffectiveness of security theatre, and the difficulties of really stopping terrorist attacks, than you have.
"....I grew up in Belfast...." Did they have many suicide bombings in Belfast then? How about IRA or INLA bombings of airliners? Oh, no, they didn't. Indeed, the IRA often made warning calls to avoid civilian casualties so as to not upset their US donors. But the Islamists want as many casualties as they can get. Whilst awful, the Troubles led to 3530 deaths on all sides over just short of thirty years. AQ nearly topped that in a single day.
"....I dare say I have a great deal more personal experience of the ineffectiveness of security theatre, and the difficulties of really stopping terrorist attacks, than you have." You must have because what you call "security theatre" I see as having been very effective, as showed in the link I included. I used to see it in countries like Israel where searching of bags going into shopping malls and at bus station queues was the norm, let alone at airports, because Israel had plenty of experience of such attacks aiming to kill anyone in range. Ironically, such "security theatre" is also now being providing for hotels in Turkey, Egypt, Dubai and Bahrain.
Did they have many suicide bombings in Belfast then?
Not intentionally, even the IRA weren't that dedicated. Not so many virgins waiting for them in the marxist republican hereafter, I suppose. They preferred the proxy technique, locking civilians to bombs and forcing them to drive to targets.
How about IRA or INLA bombings of airliners? Oh, no, they didn't.
Only once, although they fired mortars at airports on several occasions, but there aren't very many internal flights in NI. Trains, buses, they were bombed, frequently. Despite the security theatre.
Indeed, the IRA often made warning calls to avoid civilian casualties so as to not upset their US donors.
Eventually, after the public reaction to murders like the Abercorn, La Mon, etc.
the Troubles led to 3530 deaths on all sides over just short of thirty years.
In a population of 1.5m.
AQ nearly topped that in a single day.
One incident 13 years ago, in a population of 250m, and you're still talking about it. There are twice as many firearm killings and 10x as many traffic deaths in the US, every year.
what you call "security theatre" I see as having been very effective, as showed in the link I included. I used to see it in countries like Israel where searching of bags going into shopping malls and at bus station queues was the norm,
Yes, it was the norm in Belfast too. Every large store had someone at the door whose job was to search bags. It might have found someone with a few kg of explosive linked to a timer, or a sputtering fuse, but almost all attacks on such buildings were through firebombs that were the size of, and often hidden in, cigarette packets. The "searches" never stopped those. Ask the stores why they still employed the security staff and the reponse was simple - after an attack one of the first questions the damage assessors asked was what precautions were taken. Not "searching" bags would mean that the store would be considered negligent, and lose much or all compensation. Pure theatre, on the CYA principle.
Alert people and good behind-the-scenes intelligence was what stopped the serious attacks, not the disruption to everyday life that we eventually realised was pointless.
"....Not intentionally, even the IRA weren't that dedicated...." So that's a "no" then.
"....Only once, although they fired mortars at airports on several occasions, but there aren't very many internal flights in NI...." So that's another "no". Oh, and the IRA carried out operations in many European countries with commercial flights to the US, so they did have the opportunity and means even if they didn't have the motive to carry out airliner bombings. Next!
"....One incident 13 years ago....." You'll find quite a lot of new regulations come in after "one incident", such as changes to fire safety after the Kings Cross Fire (http://en.wikipedia.org/wiki/King's_Cross_fire), or the Lockerbie Bombing led to changes in baggage handling security.
"....but almost all attacks on such buildings were through firebombs that were the size of, and often hidden in, cigarette packets...." Designed to damage property rather than bring down a jet and kill all its passengers. Just a bit different in scale and intent.
The current "security theatre" is very effective, as the link I posted shows. AQ has had to resort to such bizarre scams as using PETN in shoes (http://en.wikipedia.org/wiki/Richard_Reid which led to more stringent checks on shoes at airports), and underwear (http://www.telegraph.co.uk/news/worldnews/al-qaeda/10989843/Underwear-bomber-plot-failed-because-he-wore-same-pants-for-two-weeks.html - which led to more use of body scanners).
AQ has had to resort to such bizarre scams as using PETN in shoes ...and underwear
Both of which failed, despite not being spotted by the performers at the checkpoints.
Security theatre is effective only in:
a) Frightening passengers into accepting more curbs on their liberties (I see MI5 this morning are crying that the Charlie Hebdo attack could be repeated in London if the ISPs don't agree to provide more acces to everyone's internet traffic).
b) Supporting the terrorists, who see that their efforts bear fruit.
it achieves nothing in terms of actual extra security.
Personally I have a lot of respect for the Irish paramilitaries, who really understood terrorism. It was obvious from when the first images of what would become "9/11" were being streamed round the world, the terrorists behind it were a bunch of amateurs compared to the IRA. Given the way the US reacted, if the IRA had been involved the US would most probably still be "in therapy".
I still marvel at seeing litter bins and left luggage lockers in public places, things that just didn't exist through much of my growing up. Yet even now, I won't go near an unattended bag...
Finally Matt you are missing the main point, the IRA's 'enemy' wasn't "western culture" but the British government, so they chose appropriate strategies.
".....Finally Matt you are missing the main point, the IRA's 'enemy' wasn't "western culture" but the British government, so they chose appropriate strategies." No, that is exactly the point I was trying to make - comparing the Troubles to the current Islamist threat is pointless because the two sets of terrorists have such widely different goals and strategies. Could you seriously imagine two IRA members shooting the staff of Charlie Hebdo for publishing offensive cartoons of the Pope (which they have done in the past)? Ever think the IRA would try hijacking airliners and crashing them into Westminster? No. One of the problems with those that bitch about "security theatre" is they use Western values when trying to understand the Islamist mindset, massively underestimating the threat.
Could you seriously imagine two IRA members shooting the staff of Charlie Hebdo for publishing offensive cartoons of the Pope
Just demonstrating your ignorance again, Matt. The IRA was not a "catholicist" terror organization, they came from the secular marxist anti-colonialist background of Sinn Féin. They would no more care about an insult to the Pope than they would about one to Mohammed.
"Could you seriously imagine two IRA members shooting the staff of Charlie Hebdo"
No the IRA would of either knee capped them or made their families disappear...
The IRA know how to use terrorism for political ends, whereas the current "Islamist terrorists" are operating at a much lower level of sophistication. But then it did take the IRA many decades to reach the level of maturity we witnessed in the 80's and 90's...
Yes we underestimate the threat but part of that is because we have tended to use simplistic labels to lump things altogether - hence we have largely created al qaeda, ISIS et al because we wanted to see a wood rather than see the trees. Hence we have created organisations when in fact what we are dealing with is largely small groups of gangsters and hoodlums. Interestingly, from the evidence so far it would seem those involved in the Charlie Hebdo shootings are exhibiting a very Western sense of self preservation...
".....Unfortunately, at that point it's probably meaningless to the security git, the bomber git, and all the poor gits in the immediate vicinity." Just stop and think for a second - small bomb goes off in open plan airport lounge, minimal damage, possible a handful of fatalities and the injured are ensured almost immediate assistance and treatment. Given that the case of a laptop would not allow for a really heavy bomb you might escape completely uninjured even if standing within meters of the event. If you are an innocent passenger queuing to board then your chances are pretty good. Now compare to if the bomb is exploded in a pressurized cabin, whilst the aircraft is over the ocean, probably either held against the cabin wall to maximize the resulting fuselage damage or sited over a wingroot to target the fuel tanks - the result is an hundred-plus passengers and crew all die and their bodies may not even be recovered for burial. Whilst neither outcome is desirable, I'd sure settle for the former rather than the latter option.
Whilst neither outcome is desirable, I'd sure settle for the former rather than the latter option.
I wouldn't.
Think for a moment. The whole object of a terrorist attack is to frighten people into doing something that the terrorists can't actually achieve themselves. The main damage from 9/11 wasn't the immediate effect of the crashed planes, it was the months of economic harm done afterwards by people too scared to fly, and the spread of that nervousness to the markets. I was on a 747 to the US a few weeks after 9/11, it was empty, maybe 50 people on the whole aircraft.
Set off a bomb in a departure lounge at Heathrow and you close Heathrow for a day at least, and that terminal is out of action for a week or more while forensics and then construction crews work. You also terrify people who were taking flights to places completely unconnected with the political event that lay behind the bomb, and put them off airports in general. Result is huge economic damage far beyond that one small incident.
Blow up one plane and you certainly kill all the people on that flight, and perhaps frighten some people off getting on another flight to that destination for a few weeks. Overall the impact is far less. Clearly that is of no consolation to the families of those killed, but in terms of achieving the aims of the terrorists the former is a far more effective approach. Terrorism is not about the act, it is about the fear the act causes.
@AC
"I see no problem what so ever with making some one log on to a PC for airport security. The terrorists are pretty smart and they know that powering up a PC is a common request. Logging on confirms the laptop is likely a functioning PC not a disguised bomb."
Like you said: "terrorists are pretty smart". The point that many people make is that, because terrorists are smart (not to mention usually well-funded), they are able to work around many of the counter-measures that are put in place.
The point is, in this case, that if you are going to the trouble of booting to some dummy system then it really isn't that much more effort to boot to a dummy Windows system so if you can do the former, you can (and probably would) do the latter.
So, in the end, you do nothing to really catch someone who has gotten that far (to the boarding gate!)
It comes down to a compromise between freedom and privacy on the one hand and safety on the other. Sacrificing a little of the former for a lot of the latter is generally considered a good idea but we have long passed the point of diminishing returns where we are asked to give up more and more of our privacy of smaller and smaller increases in safety.
Simples they already imaged the drive previously, why she slept or what ever, got stumped by the encryption and needed the password and now she handed it over... Surprised someone like this doesnt use some form of two factor (ubi key or what ever).. Now the frogs have all your 1's n 0's in plain text.
Ms. Moussouris has no knowlede that the French Customs Agent exceeded their authority, and it's incredulous that many comments on this article chose to denigrate the French - in this instance, and many other non-USA or Non-British authorities about such national matters from perspective of gross arrogance and probable ignorance.
Any UK negative commerters on the French in this case need to understand clearly that Americans generally consider them to be just as doofus on matters of technology or government policy when US citizens face situations in UK they do not like or appreciate, and do not understand. That (false) superiority complex or "American Exceptionalism" mentality in play.
Such is the state of crass diplomatic attitudes, particularly emminating from those West of Atlantic Ocean, and between Canada and Mexico.
They are not French Customs Agents. You don't meet any French Customs Agents on your way out of the Schengen area. There is a single Border Police check, that's it. You meet Customs sometimes on your way in, but they're not in charge of security, they're in charge of checking for illicit importations (drugs, counterfeit products, undeclared goods).
Boarding US-bound flights, there are additional security agents, specific to those flights. On whose authority they're acting, I have no idea. Airport? Airlines? But they're clearly there at the request of US authorities, and they present themselves as such.
Could it be that Ms. Moussouris did not initaly display the expected decorum, and the French agent simply upped the ante to put her in her place. Very common practice with official types. Alternatively getting someone to log on to their laptop would be a simple method for checking that it actually belonged to them. Or maybe I need to re-stock the tin foil.
A clean install of your operating system should be the best state for your laptop to be in... which is BTW also not a bad idea when you go to such a hacker conference. Though hackers are the most friendly and nice group of people I've met, there always is the chance of someone accidentally running an exploit against your machine.
A copy would probably have been taken. I'm guessing the security official wasn't familiar with the (PGP?) login screen, hence the request. I doubt any harm was meant.
Once again boys and girls! When you want to transport sensitive data across borders, don't! Do it using those new fangled interwebs instead (and preferably from your own or your employer's storage) once you arrive at your destination.
No... they would not "take a copy". My own experience in this exact situation in border control in Ottawa was that they simply do basic searches on the "unlocked" computer for images and videos and then browse through them for illegal images (child porn and the like).
It works, too.... there have been many arrests of dirtbags trafficking in child porn and other similarly repugnant garbage... many of these have been quite publicized, including a Catholic priest with child porn that happened back about 4 or 5 years ago... the searching of encrypted and other media is not new.
No... they would not "take a copy". My own experience in this exact situation in border control in Ottawa was that they simply do basic searches on the "unlocked" computer for images and videos and then browse through them for illegal images (child porn and the like).
Happened to me several times after inadvertently ending up in the naughty queue at a Canadian airport. They ask you to log into the system and then they go rifling through it. Of course, they do that in another room where you can't see what they're doing, which I think is complete BS considering their willingness to go through phones in front of you. They didn't ask me to decrypt anything though, just log in.
Check your facts. The US Border and Customs agents are fully able to copy your data for further, more detailed analysis. They do it often...
Read about what they do via the EFF: https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices
Aren't there sophisticated enough "scanning" devices to see what electrical currents (even minute amounts) are active, so, therefore, booting a device all the way *electrically engages the hard drive, the video card, the motherboard, the nic/wifi interface, the screen... sufficiently exposing the % of the innards of a machine and all of the physical masses and pathways as electricity flows through it?
<tinfoil>
Not that that doesn't leave room for explosive stuff I suppose, but.
I have had an encrypted laptop searched when re-entering Canada by customs agents... except they absolutely searched the data on the machine. In answer to my courteous and respectful questions as to the purpose of the search request, I was informed that it was for illegal content such as child pornography.
I chose to allow the search and unlocked my device... I did so as it was an agent of my own Government, and I felt comfortable that the corporate data was not at risk.
I questioned my company's lawyer who basically said that I has 2 choices - allow them to search it, or they could seize the laptop and potentially (unlikely) refuse me re-entry in to Canada. When re-entering a country, you are not YET under normal laws and protection against search and seizure.
But, a regular "security" agent or law enforcement, for that matter, in Canada would not be able to seize and search a computer without cause.... and domestic travel is not, to my knowledge, cause to do so.
I will provide advice that I received: if you don't want a foreign official to be able to see it, leave it home. Period.
My $0.02
Bear in mind that your device does not have to leave your possession; there are ways to clone drives from a distance. Why did the official ask you to type in your password? Well, there are more than just a few means of intercepting keyboard impulses, so the probability is high that "they" now have the password. Changing it after the fact- if they have indeed cloned a drive - is useless for all the data that is already stored on the drive.
Disgusting behaviour by the airport security apparatchik. An enquiry should happen, whether it reports or not - this should be high news.
But yes - don't let some little turd in a uniform compromise your data. Encrypt it on a hidden volume behind a guest account. OR, store your data client-side encrypted online somewhere, and grab it after you've got where you're going - this is what govfuckwiterments have reduced us to.
Fortunately while they are busy slamming each others' dicks in the door and snorting cocaine, they physically can't legislate the laws of mathematics.
My mother was supervisor for the contracted pre-departure security for a major US airline. She and her team had regular briefings on the current threats, interestingly enough, many that I had as well for military counterterrorism operations.
She had related how a recent threat had arose where laptops could appear to be normal laptops, even appear to partially boot up, but if the login was entered a bomb detonated.
So, the security measure that was so wisely adopted was to force the user to login at the checkpoint. You know, where the passengers and security personnel would still be safe in the case of a detonation.
Hey, *she* didn't make that call, the FAA did. :/
But, that is a true story from the late 1990's.
As a frequent user of the Paris' airports, let it be clear: this special treatment is reserved for people flying to the US. There is a special, additional security check before boarding that will have some more requests, open your luggage, point at random things and ask what's inside (and if you don't remember immediately, they'll ask you to open it). It's been in place for more than a decade, following the 2001 attacks.
Flight to other countries, European or otherwise, do not get that.
If your destination is European, you can often board a plane without showing your ID card even *once*.
So please, no French-bashing here, they're doing the security circus that Americans are telling them to do. Good that it hit a semi-celebrity at last so that annoyance finally reach the news...
Possibly incompetence on the part of officialdom - but maybe not.
I imaging that it would not be too difficult these days to make a laptop that appeared to power up and operate yet without a hard-drive ... and hard drives are dense metally things that x-rays don't go through too well - rather like other dense things that can go pop.
Hard drives may be dense and metallic...but the housings usually aren't wholly metallic, plus due to design necessities, you can expect the interior to feature certain features in their x-ray silhouettes, like the platters. You can search and find x-ray images of hard drives. Trying to make explosives look like a bunch of authentic hard drives platters that can match that x-ray silhouette would be too elaborate and prone to breaking (some explosives can be solid, but not that solid).
suppose ... just suppose ... that the laptop in question, whilst under the physical control of the passenger, isn't actually theirs ? Meaning they WOULDN'T KNOW the login details.
It could be a team/support laptop that was bought along "just in case" but not all the team know (or need to know) the login.
".....Meaning they WOULDN'T KNOW the login details....." In such a case the result is you are not allowed to take the device onto the aircraft unless you can power it on and show it is a working device. You will be given the choice of proceeding without the item or not boarding. If you are lucky you might be allowed to open the device to show the interior components, but it is far more likely you will be forced to wait for a detailed examination by a police/TSA techie or the bomb squad (http://www.cnn.com/2014/07/06/us/tsa-security-measures/index.html). And not being able to power on the device will lead to additional screening measures (possibly including graphite grease and rubber gloves!).
1. US has this brain-dead regulation that says that on outbound flights to the US, electronic devices must be checked (turned on) by security personnel.
2. She might have had Linux installed, which the airport security staffer has probably never seen (they do not go to libraries much). Or the Windows/OS X logo was not displayed before decryption.
Why is this news ? The French are actively trying to comply with US legislation, maybe a tad zealous, but hey ... as for the privacy moaners ... what personal data does a a login screen expose, exactly ? A custom background image, maybe ?
This happened to me when leaving Canada in 2003.
I had to power up the laptop and log onto it. To be honest I was a bit miffed at having to go through security at all as it was an RAF flight to the UK with a lot of squaddies on board. We all had our SA80's in our possession and they didn't go through the xray machine or check for loaded rounds. They did however confiscate numerous plastic sporks, multi tools random items including a rabbit skin and a pair of pliers.
Jobsworths.....
I should add that we got all the stuff back when we landed, they even wrapped the sporks up and had a printed label with our names on ha ha.
The real problem here is Katie Moussouris is (a) such a geek she didn't know about the additional security measures on European-to-US flights, and (b) such a self-centered narcissist that she assumed the check was down to her being such a VIP (in her own mind anyway). Throw in the usual paranoia about "The Man" and you arrive at the current fuss.