[mindslight]

This has been the case for some time, and I doubt the unaccountable bureaucracy is going to change. So the only thing we can do is disrespect, mitigate, and undermine.

Here was my ad-hoc procedure from traveling internationally a few months ago (tourism), with a prior of not really expecting to be hassled on the way there, but unknown for the way back:

1. Choose the laptop I'm least likely to miss in the case it gets stolen by JBTs, with respect to the functionality I require.

2. Wipe(1) the first 10MB of disk (has only ever been LUKS), then one /dev/urandom pass into the entire thing. (In retrospect, zeros may have been better than random)

3. Reinstall Debian, with a passphrase I don't mind giving up. Sync over only files that I don't mind giving up.

4. Go through Japanese customs - the only question asked was "Are you with him?" (friend in front of me).

5a. At this point, I possess a still uncompromised machine at the destination, with stored ssh host keys, etc. When (last-minute) prepping, this possibility didn't quite occur to me. Not being prepared to take full advantage of this was regrettable.

5b. (If machine had been molested, I would have not logged into my privileged accounts at all. For the most part I didn't have to anyway, but since I wasn't fully prepared it came in handy once or twice)

6. For return, wipe first 10MB of disk again, then one /dev/zero pass to the entire thing (so there was no argument that I had encrypted data). Then mkdosfs on a whole-disk partition for derp-nothingness. (This was done with a Debian install image written to an old flash drive I had with me for the purpose. My only concern at this point is the hardware getting stolen.

7. Take hard drive out of laptop so that it is a separate device. This would most likely increase suspicion, but make them even less justified in stealing the whole machine (not that this would stop them).

8. Get waved through coming back through USG because laptop "searches" aren't actually that common for people not on the primary watchlist (everyone is on the secondary watchlist). Still, I will do the same thing next time, and think it irresponsible to not.

There are of course improvements that could be made to this, including a small default-booting "nothing to see here" install, with file times etc automatically adjusted. Automatic copying of machine credentials etc when you're at your destination. Using a separate partition instead of the flash drive. And of course automation of the process so it's easy for everyone to do :)

[toomuchtodo]

What tools could be used to boot off a trusted, non-writable USB stick to checksum the BIOS?

Difficulty level: Macbook Air

[mindslight]

Well, that's a completely different problem. If you travel frequently and your gear gets stolen for a few days at every border crossing? At the very least, I'd look into a laptop that was easily field-strippable, and figure out how to verify non-volatile storage with an external device, at least on return. And never fully trust the machine again either. Note that this problem is what TPMs purport to solve, but that doesn't help you against a major government which will demand a backdoor from the manufacturer.

My laptop was never touched by customs - had it been, my plan was to never trust the machine again.

Most people are in my situation - never actually getting hassled but wanting to protect themselves now that the gloves are coming off. In the future we all may have to deal with device quarantines of a few days at every crossing (what a boon to local sellers!) but that's not now.