106

Since laptop and other electronic device seizures at US borders became legal without a warrant (including making copies of data), 7% of ACTE's business travelers reported being subject to a seizure as far back as February 2008.

What measures have IT departments taken since to protect sensitive corporate data, and are there any estimates of their (aggregate or individual) costs? I've only found this article about the economic costs of laptop seizure, but no figures are mentioned.

Dan Dascalescu
  • 1,955
  • 2
  • 15
  • 24
  • 37
    I would trash any hardware they seize if i ever get it back...i'm going to say "no thank you" to spyware on my hardware – Freedo May 12 '15 at 00:15
  • 27
    What kind of mad world do we live in where forcing people to disclose their password is even vaguely considered ok... – undefined May 12 '15 at 22:32
  • 3
    I like the books of W. Gibson and other similar works, but would rather like they stay fiction. – Mindwin Remember Monica May 13 '15 at 15:49
  • 1
    Regarding the newly added cost estimation aspect, I am not sure there can be any general answer since it largely depends on the context. Some journalists and activists are brought to secondary inspection upon nearly each border crossings, while "uninteresting" travelers may go through their whole life without ever being asked any question. It is clear that the costs in these two situations are at two extremes... – WhiteWinterWolf May 14 '15 at 09:40
  • @WhiteWinterWolf: I was looking for estimates on the economic cost at large, coming primarily from business travel that no longer takes place, hence leading to missed opportunities, foreign companies choosing non-US partners etc. – Dan Dascalescu May 14 '15 at 19:20
  • @LukeMcGregor the same one where government employees can break into your house just because they've got a piece of paper called a "warrant". Same sort of thing. – Rob Grant May 18 '15 at 11:58
  • 1
    @robertgrant they don't have a warrant, or any reasonable cause that's part of what makes it so bad, also what could you possibly be bringing into the country you couldn't do completely anonymously via the internet? It's like the government randomly picking houses to break down the doors. – undefined May 18 '15 at 12:25
  • @LukeMcGregor sure, I just meant re: getting people to disclose their password as a general principle. The legal framework isn't there yet to limit it, but the principle isn't any different than before police powers were limited to b&e only when in possession of a warrant. It'll get there. – Rob Grant May 18 '15 at 13:58
  • 1
    @RobertGrant password disclosure is particularly bad as its a destructive request. Once you share your password its irreparably broken. And knowing one password someone uses is a huge insight into what they use elsewhere. I maintain that there's no point at all for doing it when anyone who genuinely has something to hide has so many avenues to avoid this kind of search (like not storing that data on their device). – undefined May 18 '15 at 22:24

10 Answers10

85

The ANSSI, French government service in charge of IT security, has published a document providing brief advice to people having to travel abroad.

Relevant here are the advisories concerning preparation before travel:

  1. Review the applicable company policy,
  2. Review destination country applicable laws,
  3. Prefer to use devices dedicated to travel (computers, smartphones, external storage etc.) and not containing any data not strictly needed for the mission,
  4. Backup all of your data before leaving and keep the backup in a safe place,
  5. Avoid taking any sensitive data at all, prefer to use a VPN (or a specially set up secured mailbox where all data will be deleted after retrieval) to retrieve the data securely (this is one of the most on-topic pieces of advice, since this one prevents any sensitive data from being present on the computer when crossing the border),
  6. Use a screen filter to avoid shoulder surfing during travel,
  7. Apply a distinctive sign on the computer and accessories (like a sticker, do not forget to put one on the computer bag) to facilitate tracking and avoid any accidental exchange.

The linked document then goes on with other advice concerning the rest of the trip but this is less relevant regarding the current topic. Sorry to provide French documents as a source, but the ANSSI is an authoritative source in France and I felt it could be a worthy addition to this discussion since these advisories seem to properly address the question.

Edit:

As some comments and the very useful answer from Spehro Pefhany below pointed out, there are two other things which should be noted:

  • If your computer is seized, if you are requested ciphering keys and password, do not put up any resistance since it may lead you into legal trouble (I suppose you are traveling with some sort of mission, it would be too bad for the mission to be canceled because you were not in measure to attend the meeting or respect some contractual engagements. Customs may have plenty of time, you may not.) However, immediately inform your company IT staff and managers so due actions can be taken (revoking corresponding accesses, passwords, certificates, etc.) and discuss the issue with them to determine the way to proceed since the seized then returned devices may not be trustable anymore (impact and mitigation directly depends on the nature of the mission).
  • Customs are a two way passage. When preparing your luggage for the return travel, ensure that you have properly cleaned up you devices (again, not only the laptop: all devices including cellphones, external storage, etc.): send your data to your company (in a ciphered form, again either using a VPN or a secured one-time email account) then wipe the files using appropriate software, delete browser's history/cache/cookies, delete OS temporary files, delete call, messages and voicemail history, delete information about used networks (Wifi accesses, proxies, etc.).

And while I'm at it, good advice for the traveler:

  • Be careful when you are offered any external media like a USB key or a CD. Be careful too when exchanging documents with other people using writeable external media (as a reminder, the write protection on SD-cards is software only and therefore cannot be trusted),
  • Do not plug your cellphone into the free public USB chargers, which are becoming more and more frequent in places like airports,
  • No matter if your devices have been seized or not, do not plug them back on your company network unless they got at the very least a thorough check.
  • At your return change all passwords which were used during your travel.
Ellie Kesselman
  • 488
  • 4
  • 20
WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
  • 16
    This is the best practical answer. Let them search your freshly-reimaged laptop. If you prevent them searching your laptop, and they notice, they can bar you from the country. Or in some cases deport you to the wrong place! – pjc50 May 11 '15 at 10:10
  • 9
    3 and 5 are particularly important. Attempting to hide or encrypt all your sensitive data just makes you look more suspicious. If you have a company laptop full of sensitive data, leave it at home. Take a "disposable" laptop with nothing but COTS/OSS software on it, and no sensitive documents at all. Arrange for documents to be delivered by another means. – Simon B May 11 '15 at 11:14
  • 19
    I'm the only one actually far more concerned of the security of my hardware after i get it back than having they scanning it on first place? What if they flash a malware on BIOS or put hardware spyware on it? Your sensitive data would be stolen as soon as you download it – Freedo May 12 '15 at 00:02
  • 1
    @Freedom: I've updated my answer to take remarks such as yours into account. For information, using a one-time secured email account (used only for this purpose and which will be deleted afterwards) is meant to mitigate the risk caused by such spyware compared to a full-fledged VPN access opening a direct access to the inner company's network. – WhiteWinterWolf May 12 '15 at 10:00
  • 5
    It should be safe to connect a cellphone or other device to a USB charger at an airport (or other public location) with a power-only cable (one that is missing the data wires). – Nathan Osman May 13 '15 at 18:02
  • 4
    @NathanOsman: Often such cables will result in non-charging or extremely slow charging because negotiation via the data cables is needed in order for the device to be allowed to draw greater than a tiny current over USB. Getting both protection and usable charging requires a proxy device that negotiates the current but does not allow arbitrary data over the wire. – R.. GitHub STOP HELPING ICE May 14 '15 at 17:54
  • 1
    @R.. Worth noting that Android has that functionality built-in. When you plug in your phone, the OS designates the connection as "for charging" until you unlock the device and select another option (transfer files, transfer photos, or MIDI input). – Ajedi32 Apr 21 '16 at 18:08
19

A useful and practical guide to securing information devices when crossing borders is provided by the Canadian Bar Association here. I would not say the U.S. border is the only one of concern, others such as China might eventually become similarly aggressive (though I've seen little sign of that to date).

The guide echos many of the points made in other answers (avoid having anything sensitive on the machine at all if unnecessary (preferably keep your travel computer forensically clean), do not make it any easier than necessary for the drive to be imaged, consider encryption, back up data where you can get it so it doesn't impact your livelihood were the device to be confiscated for an unknown length of time).

One important point is that if you lose control of your device at a frontier checkpoint, you should treat it as infected with spyware from that point forward.

You should have a backup of your smartphone available (not necessarily with you). Smartphones can hold a wealth of information- it might be worth it for frequent travelers to have a separate cellphone of the same type as their main phone and transfer the SIM card between phones. By default your phone can show a nosy person all the places your phone has stopped in the last couple of weeks, on a map, and if your neighborhood cinema (say) happens to be next to something provocative, it could arouse unnecessary suspicion.

Of course this applies to ordinary folk engaged in sensitive (perhaps unpopular or commercially valuable) but legal activities. If you're actually doing genuinely bad stuff this probably won't cut it (and that's fine).

It's also important to remember that your devices can be searched upon return to your home country. The mere presence of certain technical documents on your computer under the wrong circumstances can cause you to be at risk of many millions of dollars in fines and perhaps a decade behind bars because you would be deemed to have 'exported' them. The risk level probably goes up greatly if you have clearances that allow you to have privileged access to such documents and your itinerary looks odd-- to a border guard.

Spehro Pefhany
  • 569
  • 2
  • 10
  • 6
    This is a really excellent point: "if you lose control of your device at a frontier checkpoint, you should treat it as infected with spyware from that point forward". I am not worried about permanent laptop seizure, just about anyone at border control messing with my laptop or devices. I don't worry about NSA spying on me as much as about careless security practices by border patrol staff. If they mess with something of mine, I can't be certain they don't inadvertently cause any number of issues. – Ellie Kesselman May 12 '15 at 19:24
18

The best way to protect against that type of border search is actually not to have anything suspicious on the hardware you take through the custom.

Using encryption technology will most likely raise suspicion in the first place. Refusing to provide the necessary codes can, in some places, leads to the hardware being confiscated or even to you being arrested. Of course, that is highly dependent on which border you're actually crossing: in some part of the world, you're more at risk from petty theft than from government-sanctionned casual spying.

For the US, the EFF has a nice article regarding this specific issue highlighting a number of practical way to reduce your exposure (removing the data drive, storing data on a networked server, using a "travel" laptop, etc.)

For other countries and legislation, it has a lot to do with the local laws (and practices) so some research is most likely necessary.

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
Stephane
  • 18,607
  • 3
  • 62
  • 70
  • 12
    One of the more novel techniques I've heard about is people covering the screws on the reverse side of the laptop with glitter nail polish. When the polish is set they photography the unique pattern of dots created by the glitter suspended in the polish. It is highly unlikely (if not impossible) that anyone would be able to recreate that pattern after having moved the hard disk for cloning/analysis. –  May 12 '15 at 21:46
  • 5
    @JamesR [Here is an article](http://www.wired.com/2013/12/better-data-security-nail-polish/) about that nail polish treatment. – Dubu May 13 '15 at 09:06
  • 5
    A comment on "Using encryption technology will most likely raise suspicion in the first place"... may still be true for personal devices. However, full-disk encryption is pretty common for corporate-owned laptops (possibly with some key-escrow solution so that the corporate I.T. department can reset the password, but DHS won't have access to that). For example, all IBM employees who carry laptops use either PGP (Windows) or LUKS (Linux). And a corporate employee won't be fired for saying "only my employer's lawyer can tell you that password". – david May 13 '15 at 14:16
14

Full disk encryption is the most common one used. The cost would depend on the time which needs to be implemented by the IT department ontop of normal laptop staging. However in my experience FDE is a must for any organization taking its security serious.

Aside from that there are also some really anti-forensic tools, I remember a talk at Brucon where one of the speakers has had issues in regard to that and provided some tools to patch Truecrypt and have some anti-forensics.

Now in regard to situations where entry would be denied, you would have to rely on a risk assessment which is performed by your internal security office. They should define what should happen in such a case, which is either leave the US or surrender your keys.

Also note that recently U.S. District Judge Amy B. Jackson has issued the government a long overdue smack-down in this regard. While her ruling is based on the particularly egregious circumstances of this case (waiting for someone to leave in order to get around a warrant, seizing the laptop without searching it and transporting it to be imaged and forensically analyzed, the flimsy tip, and the lack of any allegation of a current crime), she resoundingly rejects CBP’s assertion that it needs no suspicion to do whatever it wants at the border regarding digital devices.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • 12
    I've read that you [FDE is ineffective because you can be denied entry](http://www.makeuseof.com/tag/smartphone-laptop-searches-know-rights/) if you refuse to provide the decription key. – Dan Dascalescu May 11 '15 at 07:25
  • What it says is they can refuse you for spurious reasons, not for giving up your decryption key as this would be in violation of the fifth amendment. Let me update my answer. – Lucas Kauffman May 11 '15 at 07:29
  • 7
    @LucasKauffman Would violation of 5th amendment even apply to non-US citizens? – Hagen von Eitzen May 11 '15 at 11:37
  • 10
    The border admission process is not a legal proceeding. The 5th amendment therefore doesn't matter - self incrimination isn't applicable. – MSalters May 11 '15 at 12:13
  • In the US you need to tell any passwords, pins etc if you're asked and want to avoid legal consequences. In addition to the full-disk-encryption, a colleague of the IT department should encrypt all storages so that the traveler doesn't know how to encrypt the data. After passing the border control you can contact your company over a secure channel to get the password. – user3147268 May 11 '15 at 13:38
  • 5
    @user3147268 I don't think the fact that the traveler doesn't know how to decrypt the data matters (especially as everyone can pretend that). If you must surrender the keys the best way is to not have any sensitive data and only download it via a secure channel once you passed the border (for authentication you can use a smartcard which is common enough to not raise any suspicions). –  May 11 '15 at 14:23
  • 7
    If i used TrueCrypt, i would create a [1,339,036,935,291 byte file](https://thepiratebay.se/torrent/11718231/twasnme_-_Star_Trek__The_Next_Generation), with an innocuous name (e.g. twasnme - Star Trek_ The Next Generation.mkv). Inside that volume would be a hidden volume. That is what i would do if i used TrueCrypt. But i don't use TrueCrypt; and i definitely don't have a hidden volume anywhere. – Ian Boyd May 11 '15 at 18:51
  • @IanBoyd ...and you haven't gotten yourself any unwanted attention with certain TLAs over that last remark. – Dan Is Fiddling By Firelight May 11 '15 at 21:35
  • 3
    @DanNeely [simply being on a tech forum](http://yro.slashdot.org/story/14/07/03/1846215/nsa-considers-linux-journal-readers-tor-and-linux-users-extremists) draws attention to you, so I think the "damage" is already done. –  May 12 '15 at 10:12
  • @HagenvonEitzen non-citizens do not have constitutionally protected rights, per se, though some of them come into play when foreigners are on American soil. (This is why the terrorist detainees are kept off US soil... so they can't attempt to invoke any of these rights.) So if you're at a border crossing and not an American, don't expect to be protected by the 1st or 5th amendments. – Rick Chatham May 15 '15 at 17:36
13

I have two solutions. Both require Full Disk Encryption (FDE).

First Solution

Credit to Bruce Schneier.

  1. Just before leaving home, create a second key. Type it with your forehead, a cat or dog, just so it's random and not possible to remember.
  2. Send the second key to a trusted person, preferably someone with a privileged relationship, i.e. lawyer, priest/preacher (get your IT guys ordained over the internet, Instant Privilege!), and test to make sure it works.
  3. Shred or destroy all copies of the new key.
  4. Be productive on the flight home, then delete the key you normally use.

--Don't lie to customs, it may be a crime in many places. Even show them this article.

--Explain that they can confiscate and/or copy the laptop, but they will have to go through the courts to be able to see the data. Only explain the last part if you have to. Don't be a dick.

  1. After customs, get your random key back, add usual key.

Second Solution

With FDE, send non-memorizable keyfile to your destination also send or keep a copy with a trusted person.

Or Ship laptop and keep decryption keyfile on a tiny USB drive. keep it in your carry-on or, if you're paranoid, in one of many skin folds or orifices.

Someone.Else
  • 146
  • 4
  • 7
    Your "priest" has better to know GPG for this solution to be trustable. Indeed, if you are willing to apply this procedure, it means you carry valuable data. If you send the password by email to the priest, then you can assume that the NSA has access to the email content. With the customs making a copy of the hard disk content, they have all that is needed to decipher it without your help. – WhiteWinterWolf May 12 '15 at 12:57
  • 3
    It doesn't mean the person is carrying valuable data. It could mean they don't want their device messed with, and/or just abhor the power grab of computer searches at customs. It could even become a grass roots practice to always have a friend change to an unknown password before going through customs. Or even to bring a device (or several) full of pointless decryption puzzles but no useful data through customs on every trip. – Dronz May 12 '15 at 19:03
  • @WhiteWinterWolf Sending the key could be by carrier pigeon, RTTY on 40 meter radio, or GPG encrypted email. All of my work email is encrypted, and all of it is pretty boring. If the NSA asked me nicely, I would even show them. If they were really interested, I'm sure they already know. Dronz, Exactly, value is relative. Aztech Group just paid Millions for a pork recipe. I use GPG to trade worthless, but yummy, fish recipes with my brother. I send text messages—encrypted, not because, “Dude, I'm on my way.” is valuable, but because my privacy is. I even use Tor to check the weather. – Someone.Else May 16 '15 at 16:06
4

The most efficient approach I can imagine is the following:

  • Boot from a USB media
  • Mount a hidden encrypted volume located on internal media
  • Leave boot media at home
  • Use a screen saver which upon seeing a secondary password will cause a system crash.
  • Have a bootable system on the internal media using the secondary password as login password.

There is a few caveats to this approach. First of all, if you run out of battery, all data on the laptop will be inaccessible until you can get a new boot media. If the system on the internal media is ever booted, it may overwrite some of the encrypted data, so in that case you would need to consider your encrypted image lost.

The data loss in that case is no worse than in case the laptop is stolen. And the protection you need in both cases will be the same, you need to have a backup of your data in a secure location.

Additionally, you need to be aware that some (maybe all) storage encryption implementations have a weakness in that the key and some confidential data remains in RAM while suspended. For security upon suspend the key should be wiped from RAM after all other data in RAM has been encrypted. It needs to be such that upon waking from suspend the only thing the machine can do is to accept a screen saver unlock password, which will decrypt the RAM, or it can accept the secondary password causing a crash. (Some of the implementation details can be varied about from what I sketched here, and still remain secure.)

Hibernation is less secure, because you don't want to leave data on the internal media, which gives away the existence of the above constructions.

kasperd
  • 5,442
  • 1
  • 19
  • 38
  • Why do you need to force a crash? Why not just reboot into the clean OS before going through security? – Mike Ounsworth May 11 '15 at 13:23
  • @MikeOunsworth Because in the scenario I describe, booting the OS from the internal media would cause the encrypted image to be damaged. Moreover simply shutting down the machine would mean the encrypted image would be inaccessible until you have the boot media again. The point being that there would be nothing giving away the presence of the encrypted data once the machine had been shut down, but that would also mean you wouldn't be able to decrypt it. – kasperd May 11 '15 at 13:30
  • 1
    ....while I agree that's certainly secure, I'm skeptical that it's the _most_ efficient. – Mike Ounsworth May 11 '15 at 13:37
  • 1
    @MikeOunsworth Most efficient efficient at hiding the presence of any encrypted data. If they cannot see that there is any encrypted data on the laptop, they won't be asking for the decryption key. I'm not saying there isn't any more efficient solution, I'm just saying, I don't know what it would be. – kasperd May 11 '15 at 13:51
3

Full-disk encryption, three-level.

First level: secure boot to the OS. Normal counter-measures (two flash drives/CD for bootloader signature verification, USB-AES passthrough devices and TPM/UEFI signing where applicable).

Second level: inner container with data - split it into two parts (each 128 KB of disk space, eject 1 KB of data to remote storage).

Third level: transfer the rights to access/deny the data to a third party. In a form of "I must ask unaffiliated person from non-US jurisdiction to either receive secure data or get it deleted".

So: officials can't access your data or apply legal measures to you (because technically the key is outside of their or your reach); your data is secured.

Peter Mortensen
  • 885
  • 5
  • 10
kagali-san
  • 171
  • 3
1

In many places I've been in departments typically have "travel laptops". These are blank laptops with standard corporate encryption, office, a web browser (for email access) and that's it nothing else! No access to corporate networks, no access to personal disk areas nout!

These laptops were used whenever an employee left the country regardless of where they were going. The employee could simply load the laptop up with powerpoints / necessary documents go to their meeting and upon their return the laptop is re-imaged and is fresh again. I'm not sure the policy took into account forensic examination but in terms of sheer damage limitation it seems to work quite well.

daark
  • 272
  • 2
  • 7
0

This works as a security for all types of communication. It's also a kind of security by obscurity.

Simply insert a number of keywords into any document / communication: Terror threat. Bomb. Nuclear. Royal family.

Selection of current time important individuals by name ~ presidents, prime minsisters, etc. Do the same for events ~ Olympics, World Cup, etc.

The poor security services will be so busy trying to find the real useful information from the polluting rubbish they will never have time to do anything else.

Downside to this: Everyone needs to do it for it to be truly effective. Actual criminal activities will get lost in all the noise, which is probably not helpful.

Peter Mortensen
  • 885
  • 5
  • 10
DaveM
  • 109
  • 2
  • 1
    This idea reminds me of the [Jam Echelon Day](http://archive.wired.com/politics/law/news/1999/10/32039), a day during which all people around the Earth were encouraged to put specific keywords in all of their mail, phone, fax and so on communication in order to overflow the NSA's Echelon monitoring system... – WhiteWinterWolf May 14 '15 at 12:13
  • @WhiteWinterWolf OK cool. Never heard of that but seems like the easiest thing to implement on an individual basis... Could even be done in the software level, so the text is coloured white (or page colour) son as not to distract from the rest of the document, but still visible to any text extraction system. – DaveM May 14 '15 at 13:39
  • 3
    From a more practical point of view, do not forget that customs have got plenty of time and do not care if they ruin your business by keeping you in a 8 hours interview, making you miss your appointment, and seizing all of your devices "for further analysis", making you loose all of the material you had, for instance, to show to a potential customer. In other words, at the end, being "over-dirty" might bother you much more than it may bother them, which is not the case if you remain clean and they have therefore no justification for any kind of further investigation. – WhiteWinterWolf May 14 '15 at 14:04
  • @WhiteWinterWolf fair point. The idea is that there is so much noise they need to go through everything. You can just say... Knock yourself out, search away, make a copy but let me go on my way. The idea isn't to hide your data, its to make iit too time consuming to be able to get through every bodies work. If they searched my hard disk they would find gigabytes of genetic code. I'm not sure how mad they will go looking through strings of ATGC just trying to find an actual word. – DaveM May 14 '15 at 18:37
  • 2
    "You can just say... Knock yourself out, search away, make a copy but let me go on my way." Yes, you can say whatever you like. In this case, they will respond, "No, you're staying right here." Your move. – David Richerby May 16 '15 at 11:45
  • Or you can do the opposite by pretending to work for the NSA or CIA and have the laptop display a message at boot up that says that proceeding with the boot up is illegal under federal law unless done by a person explicitly authorized to use this computer. – Count Iblis May 18 '15 at 16:43
-1

You can hide the fact that you have heavily encrypted files by using the one time pad method. You can dump (encrypted) data from sensitive files in the form of fake high ISO noise in image files. To decrypt, you must have access to the original image files via e.g. Google Drive. If someone gains access to your Google Drive account they will only see image files, they won't suspect that you need to combine these files with the ones on your computer to extract the files (which then need to be decrypted using conventional means).

You an then travel while pretending to be just another tourist who is proud to show off his pictures to the border guards.

Count Iblis
  • 228
  • 1
  • 5
  • 1
    This is theoretically sound, but in the absence of off-the-shelf software to execute it with attention to all the details, is likely to get people in _even more_ trouble when, not if, it fails. – zwol May 11 '15 at 18:26
  • It's ultimately just addition of bits (addition modulo 2), it's the most simple form of encryption you can think about. You may need a hex editor and some basic photo editing software like ImageJ or ImageMagick. – Count Iblis May 11 '15 at 18:33
  • 2
    It is nonetheless subject to any number of *operational* security problems which render it extremely difficult to execute safely by hand. – zwol May 11 '15 at 18:55
  • Just wanted to chime in that you should absolutely never ever store anything meant to be kept secure on any third party service ever. Also ensure that if you do store something remotely on private servers, ensure the data never leaves the borders of the united states. This is how NSA legally spies on Americans. They cooperate with companies like google, google then decides to "randomly" move the server data containing your shiz to an out of country server, then back to the USA, making it legally searchable/crackable/copyable by the NSA. (external and thus "non-american" inbound data logic). –  May 12 '15 at 23:12
  • @DigitalArchitect I agree, but then the one time pad method allows you to split up the data into white noise and store that in different locations. There is certainly no problem with storing the original 16 bit tif files on Google Drive. If on your PC you have the same pictures but with some noise added to it, the border guards will not notice anything. – Count Iblis May 13 '15 at 01:36
  • 1
    @CountIblis Unless, of course, they've read this answer and suspect you might have done such a thing... – phyrfox May 13 '15 at 17:08
  • @phyrfox Right, but there is simple solution to that, as you can make fake files and split them up into white noise components as well. Then if the border guards tell you that they know everything and you are now supposed to reconstruct the original files, they still won't be able to tell if you have reconstructed the real files or just the fake files. – Count Iblis May 13 '15 at 17:18
  • It's unclear what you're suggesting, here. If you want the images to still be viewable, you can only mess around with the low-order bits of the image data, which means you need an awful lot of image to store not a huge amount of data. For example, a gigabyte of data hidden in the bottom two bits of the image data requires four gigabytes of images. You're not going to be able to do that by hand, without automatic software. – David Richerby May 16 '15 at 11:43
  • @DavidRicherby Yes, you need many images. However, it is possible to do a less rigorous one time pad encoding by only adding random bits to a fraction of the data. Since the original data was already RSA encoded, you only need to add one bit to each block of data that is encoded. – Count Iblis May 16 '15 at 15:57