I will soon be going to the UK for school for a year. Does anyone have advice on how not to have all your shit hacked by both the UK and US when crossing borders?
Encrypt it, have it completely turned off, take an sha256 sum of the whole thing before and after, if it changed restore from back up or buy a new computer. (Depending on what changed)
This is probably necessary and probably not sufficient.
That is probably slightly in excess of the necessary (for the average case) and definitely not sufficient (for the worst case).
If you’re worried about legal force compelling you to decrypt your computer at customs, that’s a very tricky problem to solve with software. Fortunately, there’s simple non-software countermeasure: don’t carry your computer through customs. Make a backup*, then either ship it, or restore the backup on a new computer. That’s probably the most important bit @evolution-is-just-a-theorem is missing.
Then there’s the matter of keeping it secure when its out of your physical control (which could happen even if you do decide to carry it through customs yourself). Full disk encryption and turn it completely off is the start here, and probably sufficient for the average case.
Keeping a hash of the contents isn’t a bad idea, but it’s woefully insufficient for the worst case. You’re better off just buying a new computer regardless. If you’re worried about being targeted by NSA-level adversaries, there’s no way you can trust a computer that they’ve had physical access to. The secure hash of the contents protects you from the changes in the disk contents, but there a plenty of other attacks an NSA-level adversary could use.
*Obviously, don’t carry a local backup through customs either; use a service like tarsnap or leave the local backup with a trusted friend who isn’t leaving the country
I was planning on not having it on me and shipping it, but it seems like if they’re willing to take it from me personally at the border, they’d be willing to intercept packages. Is that true, or is it just too inconvenient for them to bother?
I’m not worried about state level actors coming for me in particular, it just seems like the TSA has been installing rootkits and keyloggers and cloning phones as a matter of course in recent months, and I’d like to avoid that. I am considering buying a new laptop while I’m there, but it’s money I’d like not to spend if at all possible.
And yeah, I have full disk encryption, am going to turn it all the way off, etc. Rubber hose cryptanalysis is in fact a thing but I also don’t think I’m that kind of a target.
(As an aside, the EFF has a guide about this that you might be interested in).
If you use good encryption (and turn your computer all the way off) your privacy should still be secure even if it’s searched while being shipped (though it might disappear forever, hence the recommendation to make a backup). Probably the only way they access your encrypted data is if you given them the keys, and not having the device with you dramatically reduces the chance of being asked to/pressured to/detained* into doing that.
*US DHS agents probably can’t indefinitely detain (or refuse entry to) a US citizen for refusing to provide a key/password (AFAIK this hasn’t been tested in court, also this is not legal advice), and they certainly can’t use an actual rubber hose, but they can hold you for “heightened screening” for at least a while.
US Citizen, went to school in the UK for school for three years. Never had anything electronic actually searched. If you end up giving them your computer assume it’s probably compromised, and make backups accordingly, but assuming a reasonable value of your time, no major political activism (if you’ve worked for the Tor project, this is a whole other conversation), and that you’re not brown, I think “sell and buy new if you have to hand over to the TSA, otherwise just make backups” is the optimal use of time.