A few people are making a similar mistake. They are saying that RIPA forces you to hand over the keys to allow people to decrypt your content.
That's only partially accurate. RIPA also allows 'them' to demand that you make the plain text content available.
Not having the keys doesn't help you if you have had the keys, or 'they' think that you can get the keys. Thus, the wikileaks files are safe for me because there's no reasonable expectation that I can get access to the plaintext content. But if I have a bunch of encrypted files on my computer and encryption software and etc they are going to claim that I have access to the plain text data.
> that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section,
This could be easily combined with joshuaellinger's suggestion for a "travel mode". Flip a switch before you leave (analogous to "airplane mode") and then 2FA codes must come from a third party (your lawyer). When you arrive, contact the third party (your lawyer) and re-enable access using your own 2FA.
If you can be legally compelled to provide what's in your mind (password) and what's in your pocket (2FA device) then what's to stop them from compelling you to instruct your legal counsel (or whoever else is providing your "login escrow") to comply as well? It sounds like a ludicrous request but it's still in the realm of possibility.
Could they compel your lawyer to respond to your (under duress) request? Your lawyer would know, unless they could also make you not inform your lawyer that you were being detained. I hope that is not legally possible.
That's a thing actually. The IEEE code of ethics specifically forbids lying about technology. If I receive a national security letter about a technology issue, do I have to quit the IEEE? Can I explain to them that I have taken an earlier oath and that it takes precedence?
Instead, I would recommend resigning publicly from the IEEE by posting a message where it can be widely seen stating "I am forced to resign from the IEEE because my government has compelled me to violate the IEEE code of ethics. I am forbidden by law from explaining my actions."
Depends on the situation. If they asked you to install a backdoor, or weaken encryption then yeah I would say it violates IEEE ethics. If it was changing company policy to allow more people(the NSA) to access data, then that is not a technological change and not against (that particular) ethical guideline.
I think the point here is not that the lawyer could refuse the 2FA token if he detects duress. You have to give up the login credentials if you're able. The point is that you're now able to inform your lawyer that you're in detention.
You can work out a protocol with your 3rd party (e.g. lawyer) ahead of time that requires you to state where you are, and there's all sorts of coding available to you for that. He'll give up the token regardless, but might be able to start action on your behalf if he detects that you're not where you should be.
Going after 2-factor auth as the simple way to manage this ("I can't get access, personally") seems wrong to me.
The second factor is something you have. You'll normally travel with the "thing you have", and since many sites implement 2-factor differently, you'd have to change the setup for all of those sites before you travel.
Instead, what about not knowing the password?
This is pretty easy to do, and it's also good personal security generally.
Use a password manager (like KeePass or LastPass), and set all passwords to unique random strings of 16 characters or so. If the password manager enters the passwords into websites for you, you'll never type them (and thus never memorize them).
Then you just need a way to not know the keyphrase that unlocks your password manager datastore... that's easier to change quickly before you travel (or let your partner manage this, or use 2-factor on LastPass, etc. -- it's an easier problem, because it's just one thing).
From what I can tell, if they've targeted you, they're going to take your stuff. Doesn't matter if the drives look like noise or are nothing but zeros. The point is primarily to be a thorn in your side and to drain you of money. Any intel gleaned is just icing on the cake.
This, I think, is where it's at. I reset my phone and delete my TrueCrypt volume every time I cross a border. On the other side I just download the TC volume, download my app[1] onto my phone, and re-sync my data.
[1] This a DB I wrote myself, is sideloaded (i.e. isn't in an app store), and syncs data between my phone, laptop and desktop.
If they're watching you already, they are going to know about this DB full of good stuff you have, and they're going to demand you give them access to it, in the same way they can demand you give them keys and unencrypted data.
This got me thinking about the equipment I fly with from the UK. It seems that the only good way to protect your equipment while travelling is to actually not know your password at the time. This may be even implemented fairly simply - unless you're addicted to checking your email every minute, you can reasonably protect every sensitive drive / account with a new password before leaving, arrange for the password to be physically available at the destination and turn everything off before departure.
I really don't have any idea what the response to that would be. But I'd rather have my laptop with full disk encryption taken away than to give access to emails. (and in practice to all other services via password resets)
For phones without a full disk encryption, you can reasonably easily back everything up, leave a copy online and restore on arrival, so that's not a big deal either. You can still use it as a phone in the meantime, just make sure it's completely wiped and has no connected accounts.
Imagine a police state aware 'travel mode' that does the following:
1. Locks all your devices at the start of travel.
2. To log into your laptop, you need a code from your phone.
3. If your phone received a login request, it would record your location and ambient conversation
to a destination of your choice. Put in a little delay between recieving the code and displaying it.
4. When you login with this code, you go into a low-privilege user account and/or locks you out
of anything sensitive.
5. To unlock, you request another code from your phone. It only works if you are either at home.
You could carve out some exceptions for things you need while traveling that the bad guys who think they are good guys would already know.
You could also have a trusted person set your device passcodes and/or receive your 2fa codes and instruct them to not answer calls/reply to messages until you are at your destination.
Distress codes are an interesting idea. Although I'm sure that there are probably laws around supplying false information and/or destruction of evidence.
Dangerous, but what if your destruction code was 1 character out of 20 different to your actual password, do you reckon you could claim the intruder had fat fingers?
LE will generally create mirrored copies of your data before trying to access it and they'll decrypt it on another system that eliminates the risk of self destruction.
Interesting, because afaik Windows for instance, refuses to load if it's not run on the same hardware configuration it was installed on. Something to do with licensing keys and DRM and such.
I suppose they image it, use the password on the actual machine, and if something goes wrong or self-destructs, they'll always have the image (it just takes a little more time to convince Windows to load).
My system doesn't have much data I couldn't clone from github or copy again from $some_picture_upload_service. GPG key is the only one that comes to mind really. It's the password to online services that's critical.
I like this, skip the political bull and jump straight to subversion, bravo!
Idea for a new service; trusted tor homed token vendor (a la dpr or similar bonded agency), takes advantage of the trusted third party model whlist providing a jackboot-thug resistant party to verify the full transaction. For bonus points add duress challenges which will fail authentication in a non obvious way or provide fake but plausible data instead of the real thing.
You could also use those two-of-three or three-of-four encryption schemes (I only know about this partially--I've seen it mentioned as a way to safely store bitcoin private keys so that no one individual can access the account--only a quorum). Then it would take participation of two of three people (or three of four, etc) that know you to restore access (allows for some of the people you're relying on to be unreachable/dead).
That way the state doesn't have just one additional third-party target for getting access, they have to go after a group of hopefully decentralized people en masse.
Two factor authentication is a good defense against many practical threats but...
Wasn't Mr. Miranda's cell phone confiscated as well? That's what I understood from the news reports, they took his laptop and his phone, and required his passwords. So your regular Google/Facebook two factor authentication is useless if you've lost your phone.
Why not one-time use codes (e.g. [1]) instead of the phone? You can discreetly destroy the list that you carry as long as you can only get a new list at your destination.
That rather assumes that you have a convenient, fast, and unobtrusive way of destroying the list while being told "would you mind stepping over here, sir" in an airport full of security cameras.
The alternative - and much more practical suggestion - is not to travel with the codes. You run the risk of not being able to connect to the service - but at least no-one else can.
Journalists concerned with being detained already wipe their data or ship SD cards separately for fear of being compelled to forfeit them. They can simply discard the list before they head to the airport.
The most practical way to use this for non-2fa sites would be to have an overly long, random password and save it in the browser's password manager. Delete the Firefox profile before you travel, and you can't be compelled to reveal the password you could never remember.
You can probably do this with love hearts or similar - buy a couple and reassemble two tubes as matched, randomly chosen one time pads. Entropy would be terrible though.
You make it sound like they could demand that I access the encrypted content on a random third party and put me in jail for not coming up with mathematical break through needed to decrypted the data without the passphrase.
I doubt the law is that strict. Do you know what level of suspicion or proof for the court to apply jail time?
However after reading about section 49 for the last few minutes I did not spot what the burden of proof is for non-compliance, the range of penalties for non-compliance nor how it scales with offense, and I do not now what "on reasonable grounds", a requirement to use section 49, means in UK law.
Another interesting quote is that inorder to issue a notice you "must describe the protected information to which the notice relates;" What counts as describe in UK law? I would hope that authorities would not just beable to guess at the structure. I would hope they are require to have some other evidence that would allow them to describe the information they are seeking.
There's a big difference though. If you destroy your way of accessing the data after you've been asked to provide it (or when you expect the person you talk to will ask you to provide it), then it may be looked at in a very different way than if you really don't have it to begin with.
Change all your passwords with insanely long random keys.
Store these in a place you cannot access without being present (for example bank) (encrypted so the bank doesn't access it, and possibly, more then 1 copy).
Don't travel with anything you wish to loose. On return reclaim saved passwords.
I wonder how well security by obscurity - or at least partially by obscurity - would work in this sort of situation. Do they know enough to ask for the passwords to your randomly chosen sever? Do they know enough to do steg on some random imgur photo, or on your forum avatar? Do they know enough to ask for the passwords for something that's going to be sent to you via the internet, on time-delay, after you've left their custody - and which you'll have plenty of time to send an abort code to, like say asking your computer back in your country of origin for a different file than the backup, if the password is compromised anyway?
I appreciate the people who are developing and evangelizing technology to fight these problems, but in my opinion it's akin to putting a band-aid on a gunshot wound. The problem is that the US government has repeatedly shown itself to be acting without an acceptable level of honesty, transparency, responsibility, or ethics. Until that changes, I don't think technology is going to solve this problem.
Exactly. Fundamentally, we are dealing with a social problem. And while you might be able to mitigate social problems with technology, you cannot solve them. And even with mitigation, all you are doing in the end is getting in an arms race.
Here is how you enable 2FA (assuming the service provider doesn't provide these directly to the bad guys). SMS can fall to bad guys hands easily:
1. Install OATH Toolkit.
2. Encrypt Swap space using eCryptFS.
3. Create a TrueCrypt file system with your 2FA keys in it.
4. Every time you need the code, mount (3), run(1), umount(3)
Again, this assumes the service provider doesn't provide the access directly to the bad guy.
Nine hour detention in a foreign airport is perhaps a far cry from torture; the implicit threat of a protracted prison sentence is getting a little bit closer though. In America, prison might as well be synonymous with rape, which is generally considered a form of torture in most civilized countries.
I'm not trying to invoke the literally worse than Hitler meme, because it isn't, but there was a notable geek activist who committed suicide recently under the threat of such. Certainly quite ominous.
IANAL, but I would definitely say so. There have been stories here on HN in the past about people have to hand over laptops and passwords when crossing the US border. A country's laws apply to its citizens and those visiting.
> Classic multi-authentication security is based around the idea of:
> Something you know (e.g. a password).
> Something you have (e.g. a smart card)
> Something you are (e.g. a fingerprint)
> rather than sending an SMS to his phone, it sent it to his partner's phone. Every time he wanted to log in to Facebook, he would have to ring his partner and ask for the one-time code.
New CloudSystems' Four Factor Authentication. The first factor stops your spouse. Then the second factor stops your boss. The third factor stops a random crackhead after he grabs your laptop out of your car. And finally, the fourth factor stops the NSA and GCHQ for up to nine hours.
Four Factor Authentication: Because -- You'll believe anything.
and you don't think they have enough time in those 9 hours asking you for your truecrypt password?
Remember: You have to give them your password!
The only way is encrypting your disk and not knowing the password. Sounds impractically, and it is. But maybe your phone could use geofencing to look whether you reached your destination and then display the password on the lock screen? But you should hope nobody steals your notebook and phone and travels to this location xD
Perhaps rather than a simple geo-fence, you have to physically trace an unlock pattern (visit a pre-determined set of locations in a specific order).
The only problem is that if you KNOW how to unlock the devices, you're required to unlock them. So really, you have to NOT know how to do the unlock (geo-fencing doesn't help--you'd be expected to tell them about the fence and how to pass).
The point of the third-party 2FA is that you can tell them exactly what has to be done.
That's only partially accurate. RIPA also allows 'them' to demand that you make the plain text content available.
Not having the keys doesn't help you if you have had the keys, or 'they' think that you can get the keys. Thus, the wikileaks files are safe for me because there's no reasonable expectation that I can get access to the plaintext content. But if I have a bunch of encrypted files on my computer and encryption software and etc they are going to claim that I have access to the plain text data.
(http://www.legislation.gov.uk/ukpga/2000/23/contents)
Note that while the law talks about keys it also talks about "intelligible content" - (http://www.legislation.gov.uk/ukpga/2000/23/contents)
> that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section,
See also (http://wiki.openrightsgroup.org/wiki/Regulation_of_Investiga...)