Please post again with the answers they give you so we can all learn something!

Anyway, I started with a service that claimed they could decrypt the protected file without knowing the password. They would decrypt a small part of the file for fre as a demo. Following their instructions, about 2 minutes later I then had an accurately decrypted version of the first 5 or so lines of the file. For about $25 they would decrypt the whole file. Not entirely unreasonable, but I wanted to see what else was out there.

After that, I found various programs that would use various approaches to trying numerous passwords, one after the other, until the file password was found. I downloaded a demo version of one of these because I knew that if it found the password, it would show the first 2 characters. At first, I just let the program run to see what would happen. It tried about 400,000 passwords PER SECOND and estimated that at the worst case it would take 3 days to find the password. However, the program also had a feature where if you knew anything at all about the password, it would start with that and then move on. I was pretty sure that the password was all lower case, somewhere between 5 and 10 characters, and that part of it was probably a dictionary word. (Yeah, I know, not a great password.) I started the program up again. The password was found in - get this - 43 seconds.

My point is simple. No matter what password you choose, there's a tool out there that will bypass it for peanuts. I do realize that the Microsoft suite has never been considered paarticularly secure, but the fact that files can be read even without knowing the password is pretty scary. Encryption and physical separation will go a lot farther than a simple password any day.

And as for me, once I saw the 2 characters of the password, I knew what the full password was. I had chosen a password that no one would ever guess, but clearly that no longer matters!

The Uniform Traffic Code, which has been adopted by all states, generally provides that a license plate must be "clearly visible from a distance of 50 feet." Even snow or mud on your plate is a violation.

Most importantly, the sprays DO NOT WORK, even if they were legal to use. All it is is a clear lacquer you spray on on the premise that it cause the "flashes" from the cameras to bounce back and cause the image to flare out in the camera lens. Problem is, physics does not agree. As a professional photographer who deals with light and reflection all the time, allow me to explain.

Note that in the photo on the website, the before-and-after photos are taken from directly behind the vehicle, and the "after" image is simply Photoshopped to wash out the plate, which is illuminated from directly over the shoulder of the photographer. Note the light flare on the bumper immediately above the plate.

What this illustrates is that the "shiny surface" effect they claim ONLY OCCURS when the angle of reflection of light illuminating the plate, which is by physical law equal to the angle of incidence, coincides with the lens of the camera or the eye of the observer. In other words, it ONLY works when, from the observer's point of view (be it a person or camera) the light is being reflected DIRECTLY BACK to the light source, and the observer (camera) happens to be in line or nearly in line with that illumination. It's no different than looking in a mirror. The sun may be illuminating the surface the mirror, and it's reflection will appear somewhere, but unless your eye is within the zone of reflectance of the sun, you won't be dazzled by it.

Now, one might think that the illustration of the photo radar camera, with the strobe right by the lens, would cause this to occur, but there is one more element involved, which is that the reflecting surface (the plate with the spray on it) must be "normal" or perpendicular to the incoming light rays if the light is to be reflected back to the source. If the plate is angled at all, up, down, or to either side, the angle of incidence is changed and the "reflection" that's supposed to obscure the plate moves off at an angle equal to the angle that the light strikes the plate from.

Therefore, if the photographer in the "demo" photo had moved even a foot to one side, he would have been out of the zone of reflection and the plate would become clearly visible.

And, as it happens, all photo radar installations are placed to one side of the roadway and higher than the vehicles, which means that the angle of incidence against the plate from the strobe is quite oblique, which makes the zone of reflection appear on the opposite side of the vehicle, on the ground, at equal angles both horizontally and vertically from the camera, and the photo of the plate is perfectly clear and readable.

In short, this plate spray is a well-known and long-debunked scam and complete waste of money. Cops love it because it a) gives them probable cause to stop your (obscuring/tampering with license plate) and it leads people to think, wrongly, that they can speed with impunity, which garners a hefty fine that usually goes right back to the police department.

Don't fall for this scam!

First, remember that they key concept of a decoy operating system is to minimize the risk of appearing suspicious. If you decline to provide an encryption password, you will appear suspicious. If you provide a password that appears to boot a system, you are far less likely to turn heads, and 99.9% of the time you will pass through customs without incident (see below).

Second, I understand that there will be instances in which one may be subject to a "random search", or various threat levels will be high enough to increase the scrutiny of customs agents. In those scenarios, a smart individual will pre-ship their laptop/data to their destination ahead of time, or simply leave it at home. I’ve dealt with “random searches” during 6 of the 10 times I’ve traveled to/from Australia over the last decade, and 5 were on the Australian side of the fence.

Third, I don’t consider TrueCrypt to be an “over the counter” or “off the shelf” product, nor do most IT security experts. In fact, after dealing with most of the closed source full disk encryption programs over the last few years (SafeGuard, Pointsec, SafeBoot, GuardianEdge, Bit-Locker, etc), I have far more faith in an open source project that is scrutinized by many expert programmers and encryption experts in the industry.

Fourth, you are correct that a seized laptop will be imaged, and the image will be attacked with multiple vectors. However, AES-256 encryption has yet to be broken. Period. If a higher level of encryption is desired, cascading encryption can be implemented with TrueCrypt (at a performance decrease, of course). I quote from Wikipedia:

------------- Until May 2009, the only successful published attacks against the full AES were side-channel attacks on specific implementations. The National Security Agency (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for US Government non-classified data. In June 2003, the US Government announced that AES may be used to protect classified information:

“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use." -------------

I don’t know about you, but if AES is good enough for TOP SECRET status, I feel pretty comfortable using it. To say that every single encryption program on the market can cracked by the NSA is simply naïve.

Fifth, I manage over 200 Pointsec full disk encrypted employee laptops for a Bank, and those employees frequently travel all over the world. I have yet to encounter even ONE seized laptop after the encryption password was provided to customs agents to boot the system. How would TrueCrypt be any different? If you are honest and give them the password, why would they question otherwise? It’s not a question of trying to hide the fact that the system is encrypted. It’s announcing it, and complying with their wishes for you to show that you have nothing to hide. Do you honestly believe that customs agents don’t deal with hundreds (or even thousands) of fully encrypted laptops on a daily basis, ESPECIALLY when it is (just short of) mandatory per FFIEC financial institution guidelines?

Sixth, I seriously doubt every single packet on the Internet is logged. While there may be large monitoring programs like Eschelon in place, the Internet was never designed for privacy. I would hope most individuals are cautious about what they send/receive to/from the Internet, and have long since migrated to VPN tunnels, proxies, and SSL-driven websites. Do you HONESTLY believe that there are individuals gathering, decrypting, and reading every single encrypted packet that crosses the Internet? I hope not, because it simply isn’t happening. Unencrypted data, maybe. Encrypted data, fat chance.

Seventh, are you SERIOUSLY recommending that people put data on an Iron Key and place it in their rectum? You don’t think this will show up in a full body X-Ray scan (soon to be EXTREMELY common place). Boy, wouldn’t that make someone look REALLY suspicious. And don’t you think most governments know about the 10 failed password self-destruct mechanism? They’d torture the password out of anyone within a day. I promise.

Eight, you’ve missed the whole concept of a hollow coin, which is to mix it in with a handful of change. I have NEVER seen a customs agent sift through anyone’s change for fake coins. Last I checked, X-Rays don’t travel too well through metal. If your nickel is mixed in with a handful of change, it’s very unlikely that it will be noticed on the X-Ray monitor. Let’s say they do find the coin, and examine the contents of the memory card. They will see a randomly named file (if you were smart and renamed the TrueCrypt volume). If they DO happen to determine what kind of file it is, why not comply and give them the outer volume password with your decoy files and satisfy their curiosity. Last I checked, the Iron Key didn’t have a decoy feature.

Ninth, you suggest that an individual email their sensitive data to a friend ahead of time, but previously state that the “three letter agencies” monitor every Internet transmission and specifically look for encrypted data as a red flag. Which advice am I supposed to take?

Tenth, I appreciate your advice on selecting passwords. With over 12 years of IT security experience and CISSP , CCSP, CCNP, CEH, and MCPIP Security certifications, I am well aware of the various techniques that can be used to make passwords hard to find and/or use. I noticed that your passwords only utilize two of the four common complexity requirements. I recommend that all individuals not only set passwords at the maximum limit supported by the system (within reason), but that lower case letters, uppercase letters, numbers, AND symbols all be utilized. Multifactor authentication (tokens, biometrics, one-time PINS, etc) should also be utilized if available. I also recommend that everyone keep their passwords memorized, or at a minimum encrypted with a VERY long passphrase (try using a very long sentence, complete with punctuation)

So to sum it up, here is what I was able to gather from your posting:

1. I should hide an Iron Key in my rectum and hope no one finds it.

2. The government can make an image of my laptop and rip the encryption apart with their supercomputers, even though they themselves recommend AES-256 encryption for their TOP SECRET data.

3. The government scans every single packet of data that crosses the Internet (and specifically looks for encrypted data), but it is a good idea for me to use an off the shelf product to encrypt my data and email it to my friend before my trip.

4. I should select a password that is easily crackable by only utilizing two of the four common complexity requirements (lower case letters, upper case letters, numbers, and symbols).

Mike: While TruCrypt is a useful program to avoid thieves and civilian snoops from accessing sensitive information, the problem with trying to pull the wool over the eyes of US Customs is that they are way smarter, in aggregate, than your average computer user.

While a TruCrypt false-flag OS may satisfy them if they have no reason to be suspicious of you, if they DO have reason to be, or become suspicious of you they will simply seize your computer and subject it to high-level, government-grade forensic analysis and it is probably not wise to depend on any over-the-counter system to secure files against such an attack because they will clone your drive in its entirety, using hardware cloning devices that allow them to make unlimited identical copies of your disk drive, so if they burn one copy up trying to access it, they can always make another. Your actual hard drive is only referenced, like a Photoshop file, never actually diddled with.

They will keep your computer for as long as it takes them to be convinced that you're not hiding anything from them, which means forever if necessary.

Should they find evidence of a TruCrypt partition (and I'd be skeptical that they can't) it will simply guarantee seizure of your computer and an intense interest in you and your activities from other 3 letter agencies.

As Jack says, it's much better simply to sterilize your computer before you get to Customs. If you're just worried about non-specific government snooping, keep in mind that they already scan every incoming and outgoing packet on the Internet using Eschelon and other NSA-level monitoring programs, and they really don't care about your pictures of the Louvre or your e-mails to Aunt Tillie about your European trip.

What they DO care about are encrypted or apparently "nonsense" transmissions that might be concealing encrypted information. Customs particularly cares about anything that someone tries to hide from them, and if they smell a rat, you can cool your heels in a holding area for a good long time.

My plans include simply moving any sensitive material to an IronKey secure USB flash drive and literally putting it where the sun don't shine if I ever find a need to smuggle data that I don't want anybody to know about. But all this requires practice and confidence, because Customs officers are exceedingly well trained at profiling and detecting the signs of nervousness in people who are hiding something from them. And if you look nervous to them, they can even chain you to a toilet for as long as it takes for you to clear your bowels or subject you to an X-ray exam to make sure you haven't swallowed something to conceal it.

My purpose of evasion however has nothing to do with US Customs, it has to do with crossing borders in other parts of the world. As a journalist and photojournalist, I occasionally write or take photos of things that are unflattering to a particular country I may be visiting, or that in their socialist paranoia they may consider to be sensitive or secret information. So my concern is being able to transfer photos and text, and even sound files, to a device that will allow me to cross out of an unfriendly country without having incriminating or illegal photos or documents on my computer where they can be easily found. The IronKey device is quite secure, and has a feature that literally fries the chip and all the data if the password is entered incorrectly 10 times in a row, in order to frustrate brute-force attacks. I've also asked them to program in a "duress password" that, when entered, instantly fries the data. They are considering this feature, but it's not yet part of the offered features.

Used with a "charger," which is a case that can be inserted rectally that can contain anything from drugs to money to an encrypted USB drive, it can allow me to get critically important journalistic materials out of places where they routinely seize cameras and memory cards from journalists.

But learning to do this without betraying the fact that you have concealed something somewhere unpleasant is an acquired skill and not for the faint-hearted or the amateur, because unless it's a perfectly routine thing to do and you simply forget that it's there most of the time, you will inevitably look suspicious to border cops, and they are well aware of the places one can hide things, having dealt with innumerable drug smugglers who do the exact same thing every day.

Exactly the same sort of "guilty knowledge"occurs when you try to pass a computer that has hidden information on it. You might think you're not showing signs, but you are, and they are good at detecting such signs.

Therefore, unless you have extensive training in controlling these "tells", usually obtained at 3 letter agency training facilities, the chances that you will rat yourself out and spend rather a long and uncomfortable time being questioned by Customs (who don't have to respect your 5th Amendment rights and can put you on a plane back where you came from if they don't like your answers) about your activities and intentions.

As for the fake coins, I've seen those as well, and yes, they are interesting covers. A couple of points about such concealment devices. First, Customs is well aware of these devices, and they WILL be detected by X-ray. Notice sometime that when you put your pocket items into the bin at the airport, the bin goes through the x-ray machine. There's a reason for this; they know that weapons and other contraband can be concealed inside of commonplace items like cell phones, computers, and coins. If they see a bogus coin with a chip in it at customs, you're guaranteed an orifice inspection someplace cold with bad fluorescent lighting and humorless federal agents in attendence. Moreover, even a cursory inspection of such coins will reveal their nature. In the old days, when gold and silver coins were in circulation, merchants became adept at bouncing a coin off the hard surface of the counter and listening for the "ring" of a genuine silver or gold coin. That's where the phrase "It rings hollow," and "it rings false," comes from. Bounce one of these fake coins on a hard surface and you can tell immediately that it's not a real coin. Even the weight is wrong because it's been hollowed out.

The technique of detecting a slug is quite sophisticated in fact. Every coin-operated vending machine uses the same mechanical technique to determine if a coin is real: the coin rolls down an incline and hits a peg and bounces. The receptacle for the incoming coin is set at a precise distance from the peg, and since a slug or even a foreign coin in some cases will not bounce precisely correctly, fakes miss the receptacle and are rejected. The coin then enters a sophisticated weighing system that uses a carefully balanced trough that the coin rolls through to determine it's precise weight and reject slugs or foreign coins that do not weigh properly. As you can see, the technology for determining if a coin is genuine is well-known and quite sophisticated, which makes it difficult to pass counterfeits.

Now, the hollowed-out coins are legitimate currency before modification, but they won't pass the simplest of counterfeit detection tests because they no longer have all the proper characteristics of a real coin, specifically weight and density. So, they are easily detected by trained personnel using X-ray or through manual inspection.

The other problem is avoiding spending your chip-containing coin. A minor problem, but one that needs consideration nonetheless. One can get a half-dollar coin in this configuration and plausibly make the argument that it's your "lucky coin" that you use for flipping, but that only works until someone inspects it or steals it.

These coins are useful only for OBFUSCATING the existence of a data chip, not for concealing it from a concerted search, and they are also useful for DISPOSING of incriminating evidence innocuously by simply using it to pay a bill or tossing it in a wishing well or suchlike.

But, as pointed out before, if you're not an expert in covering up the fact that you are hiding something, they are useless for trying to smuggle something past a customs official.

The only plausible method I can think of for using such a coin is to conceal the chip in the coin and then somehow secrete the coin on a traveling companion from whom you can later retrieve the coin if it makes it through customs, which is more likely since the person actually carrying the contraband has no "guilty knowledge" and therefore is less likely to be closely inspected. But because all the dangers of x-ray or physical inspection of HIS pocket change remain, it would be highly unethical and immoral to subject HIM to possible arrest by planting incriminating evidence on him.

As Jack says, for those of us who are simply trying to maintain privacy, not smuggle nuclear secrets or terrorist operating plans into the country, sterilizing the computer before reaching Customs is the obvious and easiest thing to do.

One can recover things like passwords and email addresses and other personal information one does not want them to have in other ways, like by sending a file containing all the data to a trusted friend via e-mail before departing the foreign country for the US, and asking them to email it back to you once you've cleared customs. You can safely encrypt this file using an off the shelf program to protect it even from your friend's eyes, and the NSA will be unlikely to care, since all commercial encryption programs can be cracked by the NSA supercomputers anyway, and as soon as they see it's not terrorist attack plans or suchlike, the programs will most likely just discard the message.

When you construct this file, use obfuscation to destroy the ability of anyone who might intercept it from actually using it.

For example, never identify the actual bank that is connected with a numerical on-line banking ID and password, and obfuscate the password (which you have previously selected so as to be able to obfuscate it easily).

Let's say your Obama National Bank login ID is "330588" and your password is "68chevycamero" after the first car you ever owned. This is not a particularly robust password, but it's better than your birthday.

You'd obfuscate this this way:

330588carfave

You'd have to remember which bank this applies to, or if you have real memory problems, you simply have a text file on your computer that says "ONBcarfave"

This reminds you that the password and ID associated with "carfave," which is a link to the actual password of "68chevycamero," goes to the Obama National Bank.

If someone gains access to the obfuscated login and password on your computer (or even your smart cellphone, like my Blackberry), the data is utterly useless to them because they may recognize it as a login and password, but they have no idea what it goes to, and they cannot deduce the actual password without having intimate knowledge of your past, and if you're up against folks who are willing to go that far, best of luck to you.

Submitted Link #1: https://www.ironkey.com/...

... I will let Seth and Mark slug this one out (at least temporarily). IMHO, the best way to travel is with a clean netbook or laptop. Keep your secrets on a different machine and never take it with you. You'll sleep better on the nights when you are away from home.