DISCLAIMER: Logging other people's keystrokes or breaking
into other people's computer without their permission can
be considered illegal by the courts of many countries.
The monitoring software reviewed here is ONLY for authorized
system administrators and/or owners of computers.
We assume no liability and are not responsible for any misuse
or damage caused by the keylogging software. The end user of
this software is obliged to obey all applicable local, state,
federal and other laws in his country of residence.
May 07, 2008
Security ahead of risk at the border
News continues to worsen for business travelers carrying sensitive information. In a troubling ruling by the Ninth U.S. Circuit Court of Appeals, U.S. Customs and Border Protection (CBP) can continue its practice of warrantless searches through computer data held by U.S. citizens and foreigners alike. With no cause or suspicion, the CBP may inspect, copy or seize data devices carried by anyone returning to the U.S. I'm not convinced that passive compliance is the best response to this situation.
The CBP put its best nonlinear thinkers to work on the case, convincing the court that the doctrine of routine border inspections to "prevent terrorists and terrorist weapons from entering [the U.S.]" can rightly be served by searches for expressive thought and personal communication. In keeping with a common pattern in which privacy rights are eroded, the CBP used a child porn suspect as a test case -- in which there was probable cause and reasonable suspicion based on other factors -- to justify why probable cause and reasonable suspicion would be unnecessary for the entire traveling populace.
The reaction has been swift and overwhelmingly negative; even the notoriously invasive U.S. Transportation Security Administration (TSA) posted a message online distancing itself from the CBP's actions. Business people in border states and working abroad, as well as casual travelers, now have ample reason to be nervous about taking a laptop, media player or even mobile phone through a U.S. border inspection. Not surprisingly, advice on how to avoid or defeat the inspections is popping up all over the Internet.
Collaboration
There's a risk the CBP has seriously overreached with this new power, and the public response reminds me of the day I learned the true meaning of teamwork. In the late '90s at a large mobile phone carrier, there had been a series of layoffs, serial shuffling of CEOs and cost-cutting measures that included more-intrusive tracking of employee performance. (As the dot-com bubble was expanding, the telecom world was leaking air and fluids.)
In the midst of empty cube farms and gulag-appropriate morale, the entire network operations team showed up one morning dressed to the nines. Gone were the geek T-shirts and suspenders, ratty blouses and jeans, hair ties and high-tops, and other tribal markings of serious network administrators. Throughout the network operations center and nearby offices, there were crisp suits or skirts, nice ties, pressed shirts and polished shoes -- more than a dozen staffers, and every single one was impeccable.
When asked, the lead admin simply said the team wanted to clean up its act, since the company was trying to work more efficiently and professionally. I didn't buy it, and neither did my director. After lunch, the director pressed the operations lead about what was going on, and kept at it.
Finally, the team lead relented: "One of us has a job interview."
Moral? Be careful what kind of collaboration you engender, especially as a result of actions perceived as unfair or by the creation of an untenable environment.
Hiding in crowds
If the CBP fosters widespread collaboration against its actions, it's likely to be counterproductive for both information security and national security. For individuals and organizations, more security measures are necessary to protect against an apparently random new threat to data confidentiality and integrity, since the CBP has published no guidelines about how it inspects, seizes, retains or returns the data or equipment.
For national security, random selection of samples might be a good tool for statistical information gathering or trend analysis, but useless for finding the proverbial terrorist needle in a haystack. It's simply the wrong approach for identifying risk, and because it comes at a high cost of individual rights, it follows that the practice of random search and seizure is then unreasonable.
Much of the news coverage has approached this legally unproved idea from an accommodating perspective -- including Computerworld's own article on steps to follow during a CBP inspection. However, widespread public consensus -- reflected even in the comments to the Computerworld article linked above -- indicates that CBP data searches and seizures are prima facie unreasonable.
It follows, then, that it's perfectly appropriate to fight back with encryption, obfuscation and data-sharing technology that effectively hides anything of value either by blending into the crowd of other travelers and business people, or places it out of reach until one has safely entered the country.
On the other hand, I don't actually believe the searches are random. The CBP might have a protocol for identifying individuals, and it's possible that some CBP officers actually follow them (though direct observation indicates officers' personal predilections are the overriding factor). However, "profiling" has become a euphemism for racism, so it's difficult to express the process by which dangerous people are picked out of a crowd. As a result, the process is inconsistent and opaque. From a public perspective, all people doing interesting things are subject to increased and unpredictable risk.
The rub is that anyone carrying protected or encrypted data becomes interesting, and there's little one can do to mitigate that aside from being polite and unobtrusive. Accordingly, anyone actually paying attention to legal information-security requirements, corporate policy or personal privacy interests must assume that he or she is a target. If the trend continues in this direction, anyone carrying any protected data -- financial audits of outsourced partners, health care databases or disease profiles, remote business-unit travel plans, or field work of any kind -- becomes subject to seizure and unmonitored rifling through their data.
Duck and cover your assets
Without a clear resolution, those who travel with valuable data have little choice but to increase their level of preventive and responsive information security controls -- a combination of preparation and passive resistance. For some corporate travelers with astute IT support, this may just mean paying closer attention to existing policy and making sure that data is properly compartmentalized and backed up. For those without such security, a few basic guidelines are in order until this situation is resolved:
-- Regularly back up all information. Even if a portable computer is one's only computer, ensure that data carried through checkpoints is never the only copy. Where practical, an online incremental backup to a corporate IT service may work, but often it's as simple as doing it yourself with an external hard drive that never travels with you or at the same time.
-- Separate business and personal data. Some road warriors may carry two laptops, but for most people who travel a lot (and have some leeway about personal use of a corporate computer), this may just mean using Internet Explorer for work and Firefox for personal use. If personal use involves significant data storage or multiple applications, a virtual machine may be the right solution and can easily be backed up at home or copied to a DVD sent back by separate means.
-- Encrypt everything sensitive. Refusing to decrypt data or give the CBP a password may result in seizure or copying of data, but if backups have been done properly, this should have minimal impact -- maybe a week's or month's work. However, it's better than having some CBP forensics staffer or contractor pawing through clients' financial data or leering at a spouse's French beach pictures. Common sense and a pile of regulatory requirements demand that financial, health and government data be protected by encryption if they must be carried at all. Personal discretion would normally preclude collections of prurient videos and documents about landmarks and explosives, but people make their own choices regarding entertainment on the road. In both cases, encrypt what you must carry.
-- Securely retrieve remote data. If some data simply can't be exposed to the risk of warrantless review and undocumented exposure, then view and work with it using a remote, encrypted method if at all possible. Many enterprise document management systems include tools that allow for noncached work on documents and spreadsheets through an encrypted connection. Services such as Google Documents and other online office suites provide a decent approximation for personal use, provided that one maintains an encrypted session and is aware of other security issues.
-- Insure the equipment against loss. The CBP doesn't currently make any assurance about when a seized laptop will be given back; some have never been returned. Inquire beforehand what time period must elapse before your corporate or personal insurance will treat seizure as theft or other covered loss. If it's a gray area, get the insurer's positive response in writing or cover a negative response with a loss-of-use rider on the policy.
-- Report any losses. In addition to insurance claims and restoration of data from backups, there may be legal obligations to report an intrusive inspection where the hardware or media is seized or data copied, even if passwords are not divulged. The CBP does not publish its data retention or protection guidelines, so there is nothing that would, for example, satisfy Health Insurance Portability and Accountability Act requirements for a business associate agreement or the PCI requirement to identify those individuals who have had access to sensitive data. Copied or seized data may be subject to breach disclosure laws such as California's SB 1386, which requires notification of individuals whose personal information has been exposed or can't now be accounted for.
Until the search and seizure protocols are revealed, or until Congress slaps some constitutional sense back into the CBP, such options are the only practical response. When I lived in Washington, the overreaching misbehavior of one police officer was occasionally caught by an officer of one of the many other local and federal law enforcement agencies in the region. This was a far faster feedback loop than the courts and resulted in a fairly stable and high level of professionalism. Perhaps the CPB will seize the laptop of, say, a defense contractor of Middle Eastern descent carrying classified data that CBP officers and forensic staffers aren't cleared to see. If we're lucky, such a highly visible backfire will right the situation sooner rather than later.
Source: Network World
All news for July, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year
DONATION: Keylogger.org is an independent research
project supported by a team of enthusiasts. If you find this
project useful or would like to help foster its continued
development please consider making a donation using PayPal`s
online secure payment service. A PayPal account is not required.
All major credit cards are accepted (MasterCard/Eurocard,
Visa/Delta/Electron, American Express, Switch/Maestro, Solo).
Simply click the button below.
Any amount would be useful and appreciated!
Thanks in advance for your support!
|
