Whit some tips for bringing devices when you travel to the US.
When you log into Windows with a Microsoft account, your recovery key is often automatically uploaded to Microsoft’s servers as a backup in case you forget your password. Legally, this means Microsoft owns the key and must surrender it under the U.S. CLOUD Act.
I find that really quite shocking, but I guess I shouldn’t be surprised.
Given the legal and technical risks, the advice for business travelers is clear: do not carry data.
The US really is a hostile surveillance state.
I had read like 15 years back the encryption was basically unbreakable absent password guessing. That like the password to open the computer was unbreakable almost, and princeton researchers found a way to break it by taking it apart and freezing it with some aerosol to super cold and reading it with a microscope.
I know next to nothing of it otherwise. But has it always been like this or is this a new thing with microsoft having your password?
One could cool down system memory before power is cut to a point where it retains in-use plaintext encryption keys. One basically renders the otherwise volatile system memory temporarily nonvolatile. And if one manages to keep the temperatures low for long enough, one could swap those memory modules into one’s own computer/motherboard and print the keys. As you can imagine, the resources needed for this type of attack makes the proposition of it infeasible. Then again, if your adversary is a nation state… Fingers crossed?
I don’t use Windows, except in a VM as absolutely necessary. Problem solved.
Cut it’s networking off (and only turn on when you absolutely need it) and use a big fat filter in hosts just in case.
A shared folder is good enough.
On a laptop it is relatively simple to maintain encrypted stealth “drives” within a logged in and decrypted system. Is there a way to “unlock” a phone that depending on the password given will present a true versus secretly sanitized version? For example if you login with password 1234 you get a sanitized version and if you log in with password xyz789 you get the full access. All of it done without a tell that the “full access” version exists.
On Graphene OS there is a duress pin you can set which will wipe the phone immediately if it’s entered. Although I haven’t been able to get it to work in a way that i could open different profiles automatically by entering a different pin/fingerprint.
BUT.
My old Xiaomi Mi Mix 3 phone could do it. The phone had a “secure space” which was a separate environment with its own apps. I could assign different unlock fingerprints to it. So one finger would open the default environment and the other finger would open the “secure space”, and it worked seamlessly without any delays in unlocking.
I wouldn’t choose Xiaomi for privacy obviously but it’s just an example that shows it’s possible.
Just note: Using the duress pin after you know the cops are after you could open you up to evidence tampering charges.
The best tip: don’t travel to the U.S.A. “But my business…” Tip number two: stop doing business with the U.S.A.
