Photos and laptop crypto

The lead article/editorial in Bruce Schneier’s latest CryptoGram (http://www.schneier.com/crypto-gram.html) points out the foolishness in warning people to beware of terrorists taking pictures.  Millions of people take billions of pictures every year for legitimate or innocent reasons, and the major terrorist attacks have not involved terrorists walking around taking photographs of the targets.  It doesn’t make sense to try and protect yourself by raising an alarm about an activity that is probably (*extremely* probably) not a threat.

Rather ironically, the second piece talks about the fact that your laptop may be searched when you fly to another country, and the advisability of laptop encryption.  Leaving aside privacy and legality concerns, Schneier is for encryption.

Now, I don’t fly as much as some, but more than many.  Since I’m a security researcher, I’ve got all kinds of materials on my laptop that would probably raise all kinds of flags.  I’ve got files with “virus,” “malware,” “botnet,” and all kinds of other scary terms in the filenames.  (I’ve got a rather extensive virus zoo in one directory.)  Nobody at immigration has ever turned a hair at these filenames, since nobody at immigration has ever asked to look at my laptop.  (Even the security screeners don’t ask me to turn it on as much as they used to, although they do swab it more.)

I’m not arguing that people shouldn’t encrypt materials on their laptops: it’s probably a good idea for all kinds of reasons.  However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.

Share
  • D. Sanger

    Bruce is missing one important point – encrypting your laptop’s content is going to raise much more suspicion than filenames with “virus” in their filename so not only will encrypting not save you, it will probably just get you into more troubles.

  • http://lair.moria.org/blog Barry Irwin

    Tools such as TrueCrypt offer a “rubber hose” option so if you really want one can double encrypt the data, and have plausible deniability should you need to. This technical capability aside, probably he majority of airport staff wouldn’t look last a archive file (tar is good on a windows system ;) . In most cases if one really wants to hide something there are many ways it can be done with a lot more stealth, that would take a detailed forensic analysis to reveal the existence of.

  • Me

    Barry,

    If and when asked you are required to reveal or type in your password. If not; you will be asked to return to where you came from.

  • Hack

    Interesting topic. I have experience shipping laptops globally. In one instance due to paperwork, the laptop was seized by the foreign govt. In many instances there are encryption import/export laws. For many cases the laptops are held in customs for a week. What they are during that time, no one knows. I would not necessarily promote the FDE for carry on laptops, but if shipped FDE would be optimal in my opinion.

  • anonymous

    “However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.”

    You are right.

    Travelling to the U.S. includes all the risks and all the horrors with or without laptop scanning.