I'm in the market for a new solid-state external hard drive, and my search got me thinking... this community would likely have some great tips to help cut marketing clutter away from useful cybersecurity features in electronics. What kinds of audio recorders are a safe bet for day-to-day interviews? Which small and portable new-model laptops, when properly configured, can hold their own at border crossings? What brands or products should be avoided due to supply chain or other issues? I've seen pieces of this in other threads (e.g. potentially buying Chromebook for day-to-day attachment opening) but thought it could be useful to consolidate other members' thoughts.
Recommended products
ethannorth
#2
What kinds of audio recorders are a safe bet for day-to-day interviews?
If you're concerned that your equipment might be seized, then an iPod touch might be a good choice, since it's small, has disk encryption, and doesn't have a SIM.
You can also use a DSLR to record audio. The memory chips are small, and therefore easily concealable, but if a chip is seized, it can be read, since it's not encrypted.
Which small and portable new-model laptops, when properly configured, can hold their own at border crossings?
Well... that really depends.
Microsoft escrows the disk encryption keys for laptops running Windows 10 "home edition," so customs could seize your laptop and request the key from Microsoft. Depending on which government they represent, that may go well for them, or not.
Microsoft claims not to escrow disk encryption keys for Windows 10 "professional." This is certainly better, but tackling your question from a "product," device, or software perspective misses a fundamental reality.
At a border crossing, customs will either:
-Let you pass (yay)
-Stop you, seize your device and read its contents (no disk encryption)
-Stop you, seize your device, send it to the lab and decrypt it (woops, Microsoft betrayed you)
-Stop you, seize your device, send it to the lab and fail to decrypt (you may never see your laptop again, and if you do, you don't want to use it)
None of these are good. Refusing to decrypt a laptop is not a situation you want to find yourself in; you have already lost. Customs can detain you for hours, you lose your device, and you probably get added to a few lists for your trouble. That's just customs. If you refuse to decrypt in the course of a criminal investigation, you can be jailed for contempt of court, potentially indefinitely or until the judge concedes that there is no use jailing you any longer, since you obviously have no intention of complying. In the U.S., this can be 18 months. No one wants that.
A better question would be: which people, when properly motivated, can hold their own at border crossings?
Snark aside, it's much easier to transit customs with a newly bought laptop, or no devices at all. Have a friendly browser history full of innocuous pocket litter and a bland set of documents in your home directory as well.
What brands or products should be avoided due to supply chain or other issues?
If you buy a Lenovo "consumer" laptop, as opposed to one of their "professional" laptops (the Thinkpad series), then do not trust the factory OS install. Lenovo has a history of installing malicious software, including a root certificate used to MITM the end user's web traffic, at one point.
crates
#3
I agree with Ethan; a bigger problem than "can my device withstand being read by an adversary with physical possession" is "if an LEA [e.g. border police] demand my password, what'll I do?" ... In my work with activists, the former is rarely the issue; the latter often is (and few can pass). So the more important question isn't "how well-encrypted is my device" but "how can I avoid finding myself in a situation where an LEA knows I have the password to data they want."
. . .
This is going to sound dumb ... but what about sticking your (encrypted) laptop in your checked luggage?
Or is that illegal these days?
. . .
ethannorth
#5
This might work sometimes, say if you're selected for secondary screening, but they're not really super interested in you. If you're properly detained, customs can send someone to pick up your checked baggage from the carousel; they know your flight number and your bag has your name tagged to it. Also, some airports have baggage claim inside the security perimeter.
ethannorth
#6
This is relevant:
http://www.sfgate.com/bayarea/article/Stockton-mayor-was-briefly-detained-on-return-6546419.php
The Mayor of Stockton, CA was detained at SFO by DHS, upon returning from a trip to a mayor's conference in China. They seized his devices and refused to let him leave the airport until he disclosed his passwords. They wouldn't let him contact his attorney.
This is frankly pretty typical for a "hard" secondary selection/detention in the US or UK. The mayor part is unusual, however.
Here's another relevant episode, this one with a WSJ reporter:
Notice that they escorted her to baggage check so that they could collect all of her baggage, before taking her to interrogation.
This is why I really advocate that you do not carry anything on your person that you wouldn't want a customs officer to read (including the contents of an encrypted drive).
It's also worth noting that in the case with the WSJ reporter, the DHS agent was already intimately familiar with her public profile (her Twitter, her published writings, basically who she is as a public person). Facial recognition and analyst tools are going to make this easier for customs to accomplish for less prominent people than WSJ journalists, soon.
This leads to an important point about pocket litter: don't be too cute with it. If your public profile includes your work for CAGE and your support for Palestinians, then don't transit Israeli customs with a copy of "From Holocaust Rescuers To The Avengers Of Munich: A History Of Mossad's Greatest Heroes." You will just annoy them and create more problems for yourself.
nilskidoo
#7
I can't remember where I first heard to do this, but I actually have a few Goofy stickers on my laptop, which really does help add to the idea for strangers that my machine is about as threatening as a kid's toy. I've crossed the Mexican border twice without anybody even bothering to turn it on.
I've not traveled overseas though, and while I genuinely keep nothing nefarious in reach I do think every little detail helps. And goddamn the appeal of Disney.
rorybyrne
#8
I wouldn't recommend that. A number of folks in our space have had their laptops in their luggage when they were both overtly search (e.g airport authorities leave a note) and covertly searched (e.g clear evidence of the laptop having been taken out and opened up.)
Wee don't recommend leaving a laptop in checked luggages, as it's better to at least know if your stuff is being taken out of sight/imaged etc. One of many methods to detect covert searching that we teach in training at SF is to leave papers in the bag then have marked Polaroid or very sensitive paper on top of the laptop. A number of folks have got covert searchers leaving fingerprints or at least signs of manipulation that way.
Ah, good advice. Probably help if I took off those Snowden and Assange fan boi stickers. Perhaps the EFF and "Smash US imperialism" as well.