Crossing Borders

a_crypto_geek · 2017-03-06 01:22:13 UTC

ethannorth:

2.) The Android Problem: The article doesn't mention whether Ou carried Android or iOS devices, but if he had Android devices, then unfortunately it is likely that law enforcement was able to access his data. Why? Android uses LUKS disk encryption, which is the same FDE technology that's used to encrypt most Linux systems. The problem is that LUKS' security relies heavily on the length of the user's passphrase. If it's short, it becomes fairly trivial to decrypt the drive. This is a problem on Android because Google chose to make the disk encryption and device unlock passphrase the same. So, if you choose a strong, 40 character disk encryption passphrase for you Android phone, then you will have to enter that every time that you want to unlock the screen. Unsurprisingly, almost no one does this. iOS solves this problem by mixing the user generated pin with a unique key generated by the device's secure enclave, which is a separate chip on the device. This way, you can have your easy to remember pin and eat your secure device encryption cake, too. Google can't implement something similar, because Android is device agnostic; Google doesn't make phones, they make a phone operating system, which should ideally work on as many phones as possible. As a result, Google has no easy route to solving this problem. In theory, a powered-down Android device with a 40 char passphrase is just as secure as a powered-down iOS device, but in practice no one has a 40 char passphrase.

This problem is easily solved by using Cryptfs by @kapitanpetko (who also has a great blog on Android security). Basically it uncouples the lockscreen password from the FDE password. So when you boot up the phone from a full power down it requires the long FDE password, but you can still have a relatively short lockscreen password.

Anyone using Android FDE should use this.

ethannorth · 2017-03-06 03:36:04 UTC

This is a cool project and if I had an Android phone, I would use it.

I wouldn't recommend that people use this, though.

Since the app has the user set up a strong (hopefully ~40 character) passphrase for disk encryption, which only has to be entered when the device is booted, I'm afraid that people would just forget this passphrase. Even if the user wrote it down and kept it in a place they considered safe, running out of battery while out and about would render the phone unusable, since they would be unable to remember the passphrase after plugging the phone in to charge.

There are also other problems with Android, unfortunately:

gist.github.com

https://gist.github.com/anonymous/9f789aabd7e8681dec0cf5781aecf664

Why iOS.md

Your phone needs to be secure. Governments take advantage of phones to recover phone numbers, voice mails, emails, notes, texts --- anything sensitive that's ever passed through a phone. They'll even use phones to impersonate reporters and activists to their sources.

When a secure phone is locked, it won't give up any of its data. But even a secure phone won't protect you if it's unlocked!

iPhones are the safest phones, safer today than Android. 

There are a lot of reasons for this, but the simplest and most important is that only one company (Apple) makes iPhones, while many different companies (Samsung, Google) cooperate to make Android phones. That means securing an iPhones an easier technical problem. 

You can make an Android phone secure, but it takes some technical savvy to pick the right phone model and to know how to lock it down. Meanwhile, any recent Apple phone can be made safe without much effort. If you're not sure whether you're savvy enough, you should use an iPhone.

This file has been truncated. show original

ethannorth · 2017-03-09 19:49:16 UTC

The EFF wrote a white paper on the various legal and security implications of crossing the U.S. border with devices.

They have a section on secure deletion, which outlines the various pitfalls of this approach.

They point out that a factory re-set of an encrypted iOS device or Chromebook is more likely to be safe, since the encryption keys are stored on the "secure enclave" (in the case of iOS) or the TPM (Chromebooks). So, any data remaining on disk would be encrypted with this securely erased key, thus (probably) rendering this information unrecoverable, even if you unlock this wiped device at the border (probably).

The safe solution for sensitive work is to not cross the border with devices that contain, or have ever contained sensitive information.

I'm perfectly aware that this is a pain in the neck (it's also a pain in my neck, I also like to get work done when I'm traveling like everyone else).

This particular problem is going to require a legal, policy, and activist response. There is no cute hack to deal with physical coercion at the border. Until then, encrypting and uploading your data, then transiting customs with either no devices or an utterly clean (not wiped) device that has never touched sensitive info, is the best way to deal with this.

KAC · 2017-04-05 00:13:55 UTC

Another link:
https://www.zdziarski.com/blog/?p=6918#more-6918

jonathanstray · 2017-05-02 21:44:45 UTC

And on cue, the EFF has released a detailed guide for crossing the US border.