Digital security specialists like me get some version of this question all the time: “I think my laptop may have been infected with malware. Can you check?”

We dread this sort of query because modern computer exploits are as complex, clever, and hard to reason about as modern computers — particularly if someone has the ability to physically access your device, as is routinely the case with laptops, especially when traveling. So while it’s definitely possible to detect certain types of tampering, it isn’t always trivial. And even in controlled environments, it’s impossible to give a laptop a clean bill of health with full confidence – it’s always possible that it was tampered with in a way you did not think to check.

The issue of tampering is particularly relevant for human rights workers, activists, journalists, and software developers, all of whom hold sensitive data sought by powerful potential attackers. People in these vocations are often keenly aware of the security of their laptops while traveling – after all, laptops store critical secrets like communication with sources, lists of contacts, password databases, and encryption keys used to vouch for source code you write, or to give you access to remote servers.

How safe is it to leave your laptop in your hotel room while you’re attending sessions at a conference? If you come back to find your laptop in a different position than where you thought you left it, can you still trust it? Did someone tamper with it, did a hotel housekeeper simply straighten up the items you left on your desk, or did you misremember where you left it?

These questions typically can’t be answered with total confidence because clever tampering can be so hard to detect. But I hoped I could get a sense of the risks with a carefully controlled experiment. For the last two years, I have carried a “honeypot” laptop with me every time I’ve traveled; this computer was intended to attract (and then detect) tampering. If any hackers, state-sponsored or otherwise, wanted to hack me by physically messing with my computer, I wanted to not only catch them in the act, but also gather technical evidence that I could use to learn how their attack worked and, hopefully, who the attacker was.

While traveling by air, I checked this laptop in my luggage to make it easily accessible to border agents, both domestic and foreign, to tamper with if they chose to. When staying in hotels, I left the laptop sitting on the desk in my room while I was away during the day, to make sure that any malicious housekeepers with permission to enter my room, or anyone else who broke into my room, was free to tamper with it if they chose to. I also put a bunch of hacker stickers all over it, hoping that this would make it a more enticing target.

Over the duration of this experiment, I traveled to Europe three times and domestically in the United States five times (including once to Puerto Rico). I found eight different notices from the Transportation Security Administration informing me that my baggage had been searched. I have no way of knowing how many times it had been searched by other authorities who weren’t kind enough to leave me a note.I never caught anyone tampering with this laptop. But the absence of any evidence of tampering — and my obsessive thoughts about the various ways an attacker could have evaded by detection — serve to underline how fraught the process of computer forensics can be. If someone who makes their living securing computers thinks they could have missed a computer infection, what hope is there for the average computer user?

At the end of my experiment, I thought through all of the things that could have gone wrong. Perhaps someone did tamper with my honeypot laptop, and my methodology for detecting this wasn’t thorough enough to notice. Or maybe potential attackers noticed that the laptop I carried with me and used at the conferences I was attending was different than the one I left in my room, and decided against tampering with it in case it was a trap.

But the most likely reason I didn’t catch any attackers is that no one tried to tamper with my laptop. Hacking a target’s laptop by physically tampering with it while they’re traveling probably happens only rarely because it’s so expensive – it may require travel, physical surveillance, breaking and entering, and the risk of getting caught or breaking the laptop is high. Compare this to cheap forms of hacking like email phishing: You can target thousands of people at once from the comfort of your office, and the risk of getting caught is much lower.

Still, I believe actively checking devices for tampering is worthwhile. You’ll never catch an attacker in the act if you never look for evidence of their attacks. And just looking for evidence, even if you don’t find any, increases costs for attackers: If they want to be sure you won’t notice, they’re going to have to get more creative. I believe it’s useful to explain the technology and the methodology I came up with to detect tampering and share what I learned from the experience. Doing so gives a taste of just how many ways there are to tamper with a laptop.

Evil Maid Attacks

If you don’t use full disk encryption on your laptop, anyone who gains physical access to it, even for just a few minutes, can access all of your data and even implant malware on your computer to spy on you in the future. It doesn’t matter how good your password is because without encryption, the attacker can simply unscrew the case on your laptop, remove your hard disk, and access it from another computer.

Disk encryption does a great job of protecting your data in case you lose your laptop or someone steals it from you. When this person tries accessing your data, they should be completely locked out, so long as the passphrase you use to unlock your laptop is strong enough that they can’t guess it.

But there is a sneaky class of attack, called “evil maid” attacks, that disk encryption alone cannot protect against. Evil maid attacks work like this: An attacker (such as a malicious hotel housekeeper, for example) gains temporary access to your encrypted laptop. Although they can’t decrypt your data, they can spend a few minutes tampering with your laptop and then leave it exactly where they found it. When you come back and type in your credentials, now you have been hacked.

Exactly how an evil maid attack would work against your laptop depends on many factors: the type of computer you use, what operating system you use, which disk encryption software you use, and the configuration of firmware used to boot your computer, firmware which I’ll call “BIOS,” although it can also go by acronyms like EFI and UEFI. Some computers have considerably better technology to prevent evil maid attacks than others – for example, attackers have to do more advanced tampering to hack a Windows laptop encrypted with BitLocker than they do to hack a Mac laptop encrypted with FileVault (as of now, anyway) or a Linux laptop encrypted with LUKS.

The honeypot laptop I used, with red boxes around the hard disk and the SPI flash chip that stores the BIOS firmware.

Photo: Micah Lee

Here are the main ways that an attacker could physically tamper with your laptop:An attacker could modify data on your hard disk. “Full disk encryption,” the term used to refer generically to systems like FileVault, really ought to be called “nearly full disk encryption” because, except in a few specific circumstances, there’s always a small part of a computer’s disk that isn’t encrypted.

When you power on your laptop, before your disk has been unlocked, your computer loads a program from this unencrypted part of your disk; it then runs the program, and the program asks you to enter your passphrase. The program converts your passphrase into an encryption key and tries to use it to unlock the disk. If you typed the correct passphrase, the disk unlocks, and the rest of the operating system (which is stored in the encrypted part of the disk) boots up. If you don’t know the right passphrase, there is no way to unlock the disk.

But since the program that asks for your passphrase isn’t encrypted, it’s possible for an attacker that physically has your laptop to replace it with a malicious version that looks exactly the same to the user, but that takes extra steps. For example, after you successfully unlock your disk, it might copy malware onto it that, after the computer finishes booting up, automatically runs in the background, spying on what you’re doing.

Computers that support “secure boot” or “verified boot,” such as Chromebooks and Windows laptops with BitLocker, aren’t vulnerable to this. The BIOS can detect if the unencrypted part of your disk has been tampered with, and if it has, it will refuse to boot. MacBooks and laptops that run Linux could potentially be attacked in this way.

An attacker could replace your BIOS firmware with malicious firmware. When you power on your computer, the very first program that your computer runs is your BIOS firmware. The job of this program is to initialize all of your hardware – your memory, disks, Wi-Fi adapter, video card, USB ports, and everything else – and then ultimately boot an operating system, typically the one stored on your hard disk.

When you format your disk and install a new operating system on your computer, your BIOS firmware doesn’t change. This is because this program isn’t stored on your hard disk at all. Instead, it’s stored in a small chip on your computer’s motherboard called an SPI flash chip.

This is why BIOS malware is so stealthy – you can’t get rid of it by formatting your hard disk, and it can spy on you across operating systems, such as if you boot to a Tails USB stick.

SPI flash chips have eight pins, including one for providing the chip with power, one for reading data, and one for writing data to the chip. This means that it’s possible for an attacker to power off your laptop, open up the case, and attach their own wires to the SPI flash chip pins in order to power it on, and then read and write data to it (the chip itself has no way of telling the difference between this, or just being part of the normal computer). Using this technique, an attacker with physical access to your laptop can replace your BIOS firmware with whatever malware they want.

The Italian spyware firm Hacking Team was caught selling such BIOS malware to its customers (the company’s clients include foreign governments with troubling human rights records). This specific firmware made sure that Windows was always infected with malware. If you’re a target of a Hacking Team customer, even formatting your disk and re-installing Windows would not remove the malware. As soon as you reboot, the malicious BIOS firmware would re-infect the freshly installed Windows with the same malware again.

An attacker could do other things to your hardware. Tampering with unencrypted data on your hard disk, or replacing your BIOS firmware with malware, are the most straightforward types of evil maid attacks, but the list of other potential attacks is only limited by the attacker’s creativity and budget.

Here are a few examples:

• An attacker could potentially figure out a way of spying on your computer use by replacing firmware on other components of your computer besides your BIOS, like your processor, video card, network card, or hard disk.
• An attacker could install a hardware keylogger (they would plug your internal keyboard into the keylogger, then plug the keylogger into the motherboard) with the intention of stealing your laptop later, but with a record of your disk passphrase and your other keystrokes.
• An attacker could completely replace your laptop with a different laptop of the same model – they could even put your real laptop case with all your stickers and scratches on the fake laptop, so that it looks exactly the same. When you type your passphrase into this one though, it could send that passphrase over the internet to the attacker, who could then use it to unlock your real disk.

When I decided to start this honeypot laptop project, I realized early on that I couldn’t possibly detect every form of tampering. Because tampering with the data on the hard disk or the BIOS firmware are the simplest and cheapest types of evil maid attacks to conduct, and because attackers have limited resources and prefer low-hanging fruit when it’s available, I decided to limit my detection to these two components. But who knows? It’s possible that my honeypot laptop has a malicious component in it that I never checked for.

Methodology

In February 2016, shortly before I was planning to fly to Spain for the Internet Freedom Festival, I bought a Lenovo IdeaPad S210 Touch for about $700 to use as my honeypot laptop.

Here was the plan. Before each trip, I would:

• Update all of the software on my honeypot laptop. (I wanted potential attackers to see that I’m using up-to-date bootloader software stored on the small unencrypted part of my disk, to believe that I actively use this computer.)
• Power off the laptop, and don’t power it on again until the trip was over. (Just by powering on the computer, I risk slightly modifying data in my BIOS and hard disk.)
• Remove the hard disk from the laptop, attach it to an external USB enclosure, and plug it into another computer, taking care not to modify any data on it. From there, I could make a record of the state of the disk.
• Attach a BeagleBone Black, or BBB, a tiny $50 computer that’s great for hardware hacking, to the SPI flash chip on the motherboard and use it to dump the BIOS firmware, saving an exact copy of the data stored on the chip.
• Re-assemble the computer.

Then, during the trip, I would:

• Put the honeypot laptop in my checked luggage.
• Leave the honeypot laptop unattended in my hotel room.

Once I returned home from a trip, I would:

• Remove the hard disk from the laptop, plug it into another computer, and record the state of the disk again. If even a single bit of data on the disk has changed, I could detect it.
• Attach the BBB to the SPI flash chip and dump the BIOS firmware again. I could then compare the firmware image I took from before my trip with the image I took after it, to detect if it was tampered with.

Along the way, I planned to document everything: I’d take photos of my laptop in my luggage, in hotels, and of the cards that TSA leaves informing me that they searched my luggage; I’d keep a log of the state of my hard disk and BIOS before and after each trip; and I’d keep a journal that includes all technical hurdles I ran into.

This is mostly how it went down, but I did run into a few snags. Bear with me, in the following sections I venture much deeper into the technical weeds than I already have.

Checking the Hard Disk for Tampering

Before I proceed, there a few concepts I need to explain.

• Computer drives, whether disk- or flash- based, are organized into separate “partitions.” For example, if you install Linux with disk encryption, your drive will likely have two partitions: a small (often less than 1 gigabyte) unencrypted partition called “/boot” – this is where the program that asks for your encryption passphrase is stored, and where evil maids might put their malware – and the rest of the disk will contain a large encrypted partition. After you unlock the encrypted partition with the right passphrase, it will likely contain two other partitions inside, a “/” or “root” partition that holds the rest of the files on the computer, and a “swap” partition that’s only used when the computer is running low on memory. (I refer to both flash- and disk- based storage drives as “disks” and “hard disks.”)
• There is a small amount of disk space at the beginning of every hard disk (which I call the disk header) that’s reserved for a bootloader program. When you power on a computer and boot from your hard disk, you run this program. In Linux, this program simply starts running another program called “grub” that’s stored in your unencrypted “/boot” partition. Grub is responsible for actually booting your operating system. In order to detect evil maid attacks, it’s important to make sure the disk header was not tampered with.
• In cryptography, a “hash function” is a one-way function that takes an input of any size and outputs a fixed-size result called a “hash” or “checksum.” For example, with SHA256, the hash function I use in this project, whether your input is 5 bytes long (the size of the word “hello”) or 512 gigabytes long (the size of a hard disk), the output will always be 32 bytes long. The same input will always lead to the same output, but if you change the input in any way, even if only a single byte is different, the content of the output will be entirely different (although the length will be the same). You can use checksums to detect tampering.

When I started this project, I decided to dual-boot Windows 10 and Debian, a popular Linux distribution, on my honeypot laptop – that is, I installed both operating systems in different partitions on the same disk, and when I powered on the computer, I got to choose which to boot to. But due to various time-consuming and annoying issues related to Windows updates, I eventually chose to abandon Windows altogether and just run Debian on my honeypot laptop, which made my job of detecting hard disk tampering simpler.

Before each trip, I removed the disk from the honeypot laptop, plugged it into a USB enclosure, and then plugged the USB disk enclosure into a different computer. The first snag I ran into was that when I plugged in the USB disk, my computer automatically tried to mount the partitions. This isn’t good – just by mounting the partitions, I risked modifying the data. So I changed the settings on my computer (which was running Linux) to disable automatically mounting external drives by following these instructions.

Once the USB disk enclosure was attached to a computer other than the honeypot, I could generate checksums of all of the disk’s partitions, as well as the disk header, using a tool called sha256sum. In order to take a checksum of just the disk header, I used a tool called dd to copy the disk header into a file, and then used sha256sum to take a checksum of that file.When I returned home from my trip, I repeated the same process to generate a new set of checksums. Finally, I compared the checksums from before my trip with the checksums from after my trip. If the checksums were not the same, then the data on the disk must have changed – this would be evidence of tampering. If I discovered this, I could then start looking into exactly what data had changed to discover how the tampering worked.

For example, in March 2017, before flying to Amsterdam to attend a Tor Project meeting with developers, volunteers, and advocates for the open-source anonymity network, these were the checksums I generated:

4040239f4f0a2090c3ca15216b6e42522c4c3cd291f2c78f3c9e815f25be8295 disk_header
ed6e8a3438e55d2aeae4ae691823c4005f7b5df0b62d856bd72d54fa00d886bb /dev/xvdi1
db3d92ed1cfa8621e5673da32100d9117a3835c06a613cf9ac0f2f90de404d17 extended_header
cbeb585b6fa39a8425f57fa095ac17353a583bccd93532d65d9274da628a4c72 luks_header

Ten days later, after I had returned from my trip, I generated another set of checksums. They all turned out to be exactly the same, which allowed me to confirm that the data on my hard disk had not changed at all.

Checking the BIOS for Tampering

When I started this project, I intended to dump BIOS firmware images externally using a BeagleBone Black (explained previously) and a software tool called flashrom, which is used for reading and writing data that’s stored on physical chips on circuit boards, roughly following the instructions outlined here. But I quickly hit a snag, one that I didn’t have the tools or knowledge of electronics to easily resolve.

The SPI flash chip that holds my honeypot laptop’s BIOS firmware has a pin for power and another pin for ground. With the laptop powered off, I connected the power and ground pins to my BBB, and then powered on the BBB.

I had hoped that the BBB would provide power to the SPI flash chip, allowing me to read and write directly to that chip. But instead the BBB immediately powered off. It turns out that, the way this specific laptop was wired, the power for the SPI chip was not isolated from the rest of the system. In order to provide power to that chip, I also needed to provide power to rest of the components of the motherboard, and that takes more watts than my BBB was able to handle. This was annoying because one of the reasons I chose a Lenovo computer as my honeypot laptop is because I have had success doing this exact process on other Lenovo computers in the past, dumping the BIOS firmware by connecting a BBB to the SPI flash chip.

So I decided to change strategies. Instead of dumping the BIOS firmware by connecting wires directly from the SPI flash chip, I would instead use a piece of software called chipsec, running on the honeypot laptop itself, to dump the firmware. However, this strategy has a few downsides compared to directly connecting to the chip:

• In order to run chipsec, I needed to first power on the honeypot laptop and boot to an operating system. It turns out that this process, booting up the computer, slightly modifies the data stored in the BIOS firmware, which makes it more difficult to check for tampering.
• It’s impossible to get a complete BIOS dump from within an operating system, but you can get most of it.
• When I dump BIOS firmware using chipsec, it may be possible for sophisticated BIOS malware to lie to chipsec, which could be used to prevent detection. (I have never heard of BIOS malware that actually does this, though.)

In order to use chipsec, I set up a USB stick with the operating system Ubuntu (another popular Linux distribution). With the hard disk removed from the honeypot laptop, I plugged in my Ubuntu USB stick, powered on the laptop, and booted to Ubuntu. I put a copy of chipsec on an SD memory card, which I also plugged into the laptop. From there, I was able to run a specific chipsec command to dump the BIOS firmware and save it to the SD card, which I could then inspect on my other computer.

Here is the VirusTotal report from the first BIOS firmware image that I dumped using chipsec from my honeypot laptop.Once I successfully managed to dump the BIOS firmware, I came up with this plan:

• Before each trip, I would remove the hard disk from the laptop, boot to the Ubuntu USB stick, and dump the BIOS firmware, making sure to save a copy of it on my other computer.
• After I return from the trip, I would repeat the process, dumping a fresh BIOS firmware image.
• Then I would generate checksums of the BIOS firmware images from before and after my trip. If the checksums were exactly the same, I could confirm that my BIOS was not tampered with.

Of course, it wasn’t this simple. It turns out, every time I booted my honeypot laptop to an Ubuntu live USB stick and dumped the BIOS firmware, that firmware image had a different checksum than the previous one. In order to investigate what was going on, I used a program called UEFITool. This is a graphical program that lets you load BIOS images, view and edit what data is stored inside, and extract data into separate files.

For this specific laptop, each BIOS firmware image is exactly 4 megabytes. Some of that space is used to store the actual programs that make up the BIOS (an evil maid attacker would replace these programs with malicious versions), and some of it is used to store other data, such as saved BIOS settings.Looking at two BIOS firmware images that had different checksums, I was able to use UEFITool to extract the same components from both, and then generate new checksums for those individual components to see if they matched. I discovered that there was only one small part of the firmware images that differed, and that part did not include any programs. It turns out, each time I powered on the honeypot laptop and opened the boot menu to tell it to boot from my Ubuntu USB stick, it saved information related to booting to a USB stick in that section of the firmware, and this information was slightly different each time, which caused the firmware images to always have different checksums.

So I amended my plan for detecting tampering in the BIOS firmware. To compare firmware images from before and after my trip, I would have to open each image in UEFITool, extract all of the components except for the one that I knew changed, generate checksums for those components, and then compare those checksums to make sure they matched.

What I Learned

Traveling with a honeypot laptop was a lot of work. It required spending a few hours both before and after each trip if I hoped to actually catch an evil maid attacker in the act. So after two years without catching anyone, I have decided to retire the project.

A tool exists today, that didn’t exist when I started the project, that makes it possible to catch evil maid attackers in the act in a different way. Haven is an Android app, designed to run on a spare phone that you leave in your hotel room while you’re away, perhaps sitting on top of your laptop. It uses all of its sensors – microphone, motion detector, light detector, and cameras – to monitor the room for changes, logs everything it notices, and can send Signal notifications to the phone you carry with you when it detects a change. Haven isn’t perfect – there are plenty of false positives – but it gets better all the time and is still likely to catch anyone attempting to tamper with the laptop that’s sitting under the phone Haven is running on.

I was able to do this entire project with 100% free and open source software, thanks to projects like Debian and Ubuntu and tools like dd, sha256sum, flashrom, chipsec, and UEFITool. Other than the honeypot laptop itself, you can buy all of the hardware tools I used, like screwdrivers, a USB enclosure, and a BeagleBone Black, for less than $100.

Top photo: Honeypot laptop in the luggage.

Private Facebook posts show a Democrat recruited by the national party to challenge the local party’s preferred choice in a congressional primary proudly engaged in “pro-life advocacy,” including participation in the March for Life, as recently as 2016. Despite that, she earned a 2017 endorsement in her previous race from the pro-choice group EMILY’s List.

Juanita Perez Williams, a 2017 Syracuse mayoral candidate and former prosecutor running in New York’s 24th Congressional District, initially declined to make a bid for Congress after being recruited by the Democratic Congressional Campaign Committee but changed her mind earlier this month. She is competing in the primary against the pro-choice Dana Balter, who is supported by a coalition of local, grassroots groups.

Perez Williams’s Facebook posts leave little room for doubt about her position on the issue. “My heart has also been changed for life from the many women I know, both young and old like me, who have suffered greatly from abortion,” she wrote in a post dated two years ago. “It is a choice that leaves many with years of suffering.  It is a choice that leaves one with depression, and sadness, and often hurts relationships. I mention this because there is nothing in my pro life advocacy that even suggests judging or condemnation. I hate that crap! Women suffer with pregnancy and often feel hopeless. This I know! Be good!”

EMILY’s List, which was founded to elect pro-choice women to Congress, endorsed Perez Williams in her mayoral bid last year. She won the nomination but lost the election in a landslide to an independent candidate.

“We are taking a close look at this race,” an EMILY’s List spokesperson told The Intercept, referring to the congressional race. “Although we do not discuss our internal endorsement process, we do reexamine every candidate with fresh eyes when she pursues a new office and evaluate every race on a case-by-case basis.”

As part of that process, last weekend, Perez Williams was in Washington, D.C., for EMILY’s List’s annual gala.

Asked about her Facebook posts on the issue of abortion rights, which were surfaced by activists in the district, Perez Williams did not dispute their authenticity. She told The Intercept in a statement that while she may personally be opposed to abortion, she supports the legal right for others.

I believe 100% in women’s right to choose and will always defend and protect that right. I further believe that women should have access, funding, and education with regard to their reproductive health and therefore I will advocate for and defend organizations like Planned Parenthood. Like many women, my personal beliefs on the issue of choice have been shaped by my life experiences, both as a Hispanic and a Catholic and as a mother and a grandmother. My own personal opinions are far more nuanced then some people would like you to believe.  I will always vote to support the choice of all women.

Conor Lamb, who recently won a special election in a conservative district in Pennsylvania, took a similar approach — private moral opposition matched with public support for the legal right. But in some of Perez Williams’s posts, the policy and the morality blend together.

She has been a supporter of the movement to ban legal abortion, proudly marching in the streets, she wrote in a January 2016 post reacting to a story about Hillary Clinton meeting with Mother Teresa. “I love this. I am a Dem who supports all life. From beginning to end. To some it is strange but it makes all the sense to me. My parents taught me at a very young age that as Dems we, as members, care about all those who can’t defend themselves. So yesterday I proudly marched for life. Perhaps Secretary Clinton doesn’t see exactly eye to eye with me on this issue but she will come around. For that she has my support.”

The post is dated January 23, 2016. That year’s national March for Life in Washington was on January 22. (Perez Williams did not respond specifically to questions about her professed participation in the March for Life.)

Later that year, when Clinton selected Sen. Tim Kaine, a Virginia Democrat who personally opposes abortion, as her running mate, Perez Williams celebrated. “Wow our girl picked a Dem pro lifer. Now you’re talking…”

In another post, this one dated August 2016, she shared an article from LifeSiteNews, a conservative, anti-choice website, on the Irish High Court ruling “unborn” children are clearly children with significant rights, adding, “I love the Irish!”

Balter, a Syracuse University professor who has the backing of local activists and Democratic clubs, said women’s rights are “non-negotiable” and that the posts were “disturbing.”

I believe we need a Democrat in this race who stands firmly for Democratic values. One of those values is that women’s rights are non-negotiable. That holds whether we are talking about the right to equal pay for equal work; the right to be free from harassment and abuse; or the right to access reproductive healthcare. Women’s rights are non-negotiable.

I find Juanita’s statements disturbing. How can we consider electing a Democrat who describes herself as a pro-life advocate?  Especially at a time when women’s access to abortion is under attack across the country. I am absolutely pro-choice and believe that abortion is a personal decision between a woman, her family, her faith, and her doctor.

The question of abortion rights as a litmus test for Democrats roiled the party in early 2017 when Bernie Sanders and Democratic National Committee Chair Tom Perez campaigned on behalf of Omaha mayoral candidate Heath Mello. It sparked a debate within the party over whether anti-choice candidates in conservative areas deserve national party support. But in Syracuse, there is no burning demand for a March-for-Life-style candidate. Instead, DCCC support for Perez Williams likely comes without knowledge of her professed “pro-life advocacy.” (A DCCC spokesperson didn’t respond to requests for comment.)

While it could be chalked up to a simple mistake, it is also a predictable result of a top-down approach to choosing candidates.

It’s a flaw in the strategy identified by former New York congressional candidate and professor Zephyr Teachout in a previous interview with The Intercept about the DCCC’s approach to campaigning. “Structurally, they’re going to be idiots because there’s no way they can bring in the talent to do it right,” she said. “Their strategy is stupid in the first place and bad for democracy, but then it’s really stupid because they have 26-year-olds sitting around who don’t know anything about the real world deciding which candidates should win.”

The way the news broke also shows the difficulty of foisting a candidate from Washington onto a community that has already rallied around a different woman. Successful insurgencies rely on support from the local community, and in this case it was local activists, not high-priced opposition researchers, who surfaced evidence of Perez Williams’s anti-abortion-rights advocacy. Two of the posts were tweeted by a local activist and flagged for The Intercept, while two other activists sent two additional posts. The national party may have had no idea about the candidate’s anti-choice views, but the Onondaga County Democrats who had debated with her in Facebook threads certainly did.

The DCCC helped push Perez Williams into the race in a last-minute move that incensed local officials and progressive groups, as The Intercept previously reported. Local Democrats had already rallied behind Balter, who leads a local Indivisible chapter. In a January interview with syracuse.com, Perez Williams said that she would sit out the race and support the designated nominee. But just days after donating to Balter, Perez Williams backpedaled and decided to challenge her in the primary, citing Balter’s poor fundraising.

With the help of the DCCC, Perez Williams paid canvassers to collect enough signatures for what appeared to be a spot on the ballot. But opponents on Monday filed objections with the state Board of Elections in Albany, claiming that more than 2,400 of her signatures are invalid. A final hearing to determine whether she can remain on the ballot will come in early May, with the primary on June 26.

Top photo: Juanita Perez Williams.

The summit on Friday between South Korean President Moon Jae-in and North Korea’s leader Kim Jong Un was about far, far more than North Korea’s nuclear weapons program. The “Panmunjom Declaration” they released at the meeting’s conclusion has 21 paragraphs; just one of them addresses the nuclear issue.

Most importantly, Moon and Kim affirmed their intention to finally end the Korean War – which began in 1950 and, formally speaking, was only suspended by an armistice in 1953 — and “establish a permanent and solid peace regime on the Korean Peninsula.” Their statement laid out steps they plan to take to heal the scars inflicted by Korea’s bitterly tragic history. All of this will be done based on “the principle of determining the destiny of the Korean nation on their own accord” – something that would manage to simultaneously perturb the United States, Japan, and China, each of which has brutalized the Koreas for their own ends.

Seen from the U.S., however, the nuclear issue is the only thing that matters. And according to the declaration, “South and North Korea confirmed the common goal of realizing, through complete denuclearization, a nuclear-free Korean Peninsula.”

So with a historic summit between Kim and U.S. President Donald Trump imminent, the question now is what “denuclearization” means, most importantly to Trump himself.

At one end of the spectrum is Trump’s national security adviser John Bolton, who before his appointment said the only thing for the U.S. to discuss with Kim was “what ports should American freighters sail into and what air bases should American cargo planes land at so that we can dismantle your nuclear weapons program, put it in those planes and boats and sail it back to America to put it at Oak Ridge, Tennessee.”

That is a clear, commonsense definition of denuclearization. It also would be a catastrophic stance for Trump to take, given that there’s absolutely no chance that North Korea would agree to it. That is part of its appeal to Bolton, who is itching for the U.S. to start a gigantic war with North Korea.

The good news is the Trump administration as a whole has not ruled out a definition of “denuclearization” that would be achievable and defuse tensions between the U.S. and North Korea.

On April 23, White House Press Secretary Sarah Huckabee Sanders told reporters that the word means “that North Korea doesn’t have or isn’t testing nuclear missiles,” something which is a fairly practical goal in the near-term.

When Sanders was pressed by reporters later the same day to endorse something like the Bolton perspective, she refused to do so, and left Trump maximum wiggle room for the summit. “Certainly the goal is denuclearization of the peninsula,” she said. “I’d refer you back to also South Korean President Moon, who has said that North Korea has expressed a will for complete denuclearization. And certainly that’s the focus of any conversation and negotiation that the United States will have with North Korea.”

Secretary of State Mike Pompeo — who secretly met with Kim Jong Un — also offered some nuance during his recent confirmation hearings. Colorado’s Republican Sen. Cory Gardener tried to pin Pompeo down, asking him: “To be clear, again, the only goal the United States has as it relates to North Korea is the complete, verifiable, irreversible, denuclearization of North Korea?”

“I want to be careful about complete,” Pompeo replied. “North Korea also has a significant military arsenal. One of the largest armies in the world. We need to insure we continue to provide a strategic defense framework for our allies in the region, the South Koreans, and others as well. But the purpose of the meeting is to address the nuclear threat to the United States.”

All this verbiage suggests the possibility – always subject to change at any moment with Trump – that the U.S.-North Korea summit could end with Trump stepping back from the brink, by accepting a deal that doesn’t fulfill the wishes of hard-liners, while simultaneously claiming victory. This is because a continuing freeze on North Korea’s nuclear and ICBM testing would be a genuine concession by Kim. While Kim recently claimed that this cessation was meaningless because North Korea is already certain it can successfully hit the U.S. with nuclear missiles, experts, like Ploughshare Funds President Joe Cirincione, disagree.

In an interview with The Intercept, Cirincione summarized Kim’s position as: “’These are acts of strength, I’ve finished the program, I can close the test sites now, I can stop testing, everything’s fine, we have our nuclear deterrent.’”

But is that true? “Probably not,” Cirincione says. “At least not by the standards of most nuclear armed states. No nuclear armed state has willingly stopped their test program with so few tests. All nuclear scientists want more tests.”

Cirincione believes the North Koreans, with their nuclear program as it currently stands, have around a 50-50 chance of being able to successfully utilize a long-range missile to hit the United States. In order to improve the odds, they would need more tests.

Kelsey Davenport, director of Nonproliferation Policy at the Arms Control Association, agreed. “The accuracy and reliability of those systems is low because North Korea has conducted so few tests,” Davenport told The Intercept. “So a moratorium on nuclear tests, intercontinental ballistic missile tests, could certainly prevent North Korea from qualitatively advancing its program.” Davenport notes as a caveat that North Korea has cheated on international agreements before and that the Trump administration should look for a way to “lock in” those commitments during upcoming negotiations. (The U.S. has also cheated on its end of the bargain in previous agreements with North Korea.)

This is far from what most people would understand as “denuclearization.” But it would be an extremely positive first step, and it could lay the groundwork for future progress toward real peace.

Both Cirincione and Davenport argue it is possible that with a reduction in hostility from the U.S., North Korea could begin a process that, in the long term, ends with them actually giving up nuclear weapons. (The only country that has built nuclear weapons domestically and then renounced them is South Africa. Ukraine, Belarus, and Kazakhstan had Russian warheads on their territory but surrendered them to Russia after the Soviet Union’s collapse.)

“If Trump thinks that he’s going to come back to the summit with Kim Jong Un’s nuclear weapons in the cargo hold of Air Force One, he’s delusional,” Cirincione said. “If he goes in prepared to have this be a breakthrough meeting that yields important concessions from Kim and is the start of a multi-year process toward denuclearization, then he might be able to pull off a stunningly successful summit.”

The experts also cautioned that the United States has to be willing to truly compromise with North Koreans as well. “Trump also needs to be realistic about the concept that this is a negotiation and North Korea’s going to want something from the United States in return,” Davenport said. She cited U.S. nuclear-capable airplanes taking part in military drills and the presence of nuclear-capable submarines as two areas in which Kim’s government wants to see real changes.

When asked what they think the chances are that the Trump administration might pull this off, both experts landed at the same number. “I’d put the odds right now at 50-50. I think there’s actually a 50 percent chance this unorthodox diplomacy could work,” Cirincione said.

“At this point, it is highly likely that the summit will take place, but the chances that Trump will be able to obtain a reasonable commitment from the North Koreans to take steps to freeze their nuclear missile program is 50/50,” Davenport concluded.

Cirincione in particular put much of his hopes in South Korea’s progressive new leader. “People have been grossly underestimating the role of South Korean President Moon Jae-in. He’s the one who has pushed this agenda and gotten us as close as we are,” he said, also alluding to his strategic use of flattery to persuade America’s leadership. “The South Koreans are handling this very well and all the while by the way deflecting praise to Donald Trump.”

Indeed, earlier this year, Moon singled out Trump for praise on the issue, saying “[He] made a huge contribution to make inter-Korean talks happen, [and] I’d like to express my gratitude.”

P.J. Crowley, former assistant secretary for public affairs and spokesperson for the State Department under the Obama administration, also stresses that U.S. negotiators must be pragmatic.

“It is unrealistic for us to expect North Korea to capitulate in one meeting. They have spent a lot of money to produce whatever weapons and missiles they have. So the president has to decide if they’re serious and if a lengthy negotiation will bear fruit,” he told The Intercept.

Top photo: North Korean leader Kim Jong Un, left, listens to South Korean President Moon Jae-in while walking together at the Panmunjom in the Demilitarized Zone on April 27, 2018.

The Trump era has been breathing new life into often dormant local politics — and the president’s crackdown on immigrants, in particular, has made resistance to federal immigration enforcement a central issue in some municipal elections.

As the increasingly aggressive tactics of U.S. Immigration and Customs Enforcement have come under scrutiny, the question of whether local police should help ICE deport people has taken on new importance in local races. In Mecklenburg County, North Carolina, where residents are heading to the polls next month to choose a sheriff, the question has made the previously obscure 287(g) program a central issue in the campaigns of the incumbent sheriff, who embraced it, and his two challengers, who want to end it.

Section 287(g) of the Immigration and Nationality Act allows local law enforcement agencies to form voluntary partnerships with the federal government to enforce immigration law. Agencies that sign up receive delegate authority to ask people booked into local custody about their immigration status and to hold undocumented individuals for ICE. But 287(g) has been mired in controversy ever since it started in 1996 — in some places, leading to sweeping racial profiling and, in many others, putting a huge drain on local law enforcement resources and damaging police relationships with the communities they serve.

An array of community groups in Mecklenburg County, which includes Charlotte, have come together to make sure this election marks the end of the controversial policy. “The current sheriff has said that he believes the program is helping the community, keeping it safe, and he’s not willing to end it,” said Oliver Merino, an organizer with Comunidad Colectiva, one of the groups fighting the county’s participation in 287(g). “We feel like the best way to get rid of the program is to get a new sheriff, somebody that understands that the program is not working.”

Since 2006, when Charlotte signed on to the program, more than 15,000 people have been detained by the sheriff’s department and processed for deportation — many of them over minor infractions and traffic violations, like driving without a license, which undocumented people can’t legally obtain in North Carolina. In fiscal year 2017, there were more than 1,300 “encounters” through the county’s 287(g) program, leading to 288 deportations, according to an ICE spokesperson. In March, 45 groups signed a letter calling on incumbent Sheriff Irwin Carmichael to terminate the county’s participation in the program.

“While your office continues to highlight a handful of cases of individuals with serious crimes, the fact is that a great majority of deportations under the 287(g) program are due to minor offenses,” the letter states, listing the stories of local residents seized and deported as a result of the program. “The sheriff’s office is deporting fathers, mothers, sons, and daughters, disrupting and separating families in the process.”

Carmichael told The Intercept that there was misinformation “being put out there about the program,” and released a video discussing 287(g). “A lot of folks always say that we are ripping families apart. Again, I always tell everyone, you will never ever encounter this program unless you’re arrested and charged with a crime and brought to our jail,” Carmichael told Fox News in March. “We use this as a tool to identify exactly who we have. … Maybe they’re from a foreign country and maybe they committed murder in a foreign country.”

Challenger Garry McFadden told The Intercept that if elected sheriff, he will discontinue the agreement. “287(g) often hindered and complicated my investigations,” the former homicide detective said. “Both the witnesses and victims did not want to come forward to cooperate with the investigation. 287(g) does not create a trusted working relationship between law enforcement and many of the community.” Antoine Ensley, who ran for sheriff twice before, with opposition to the program as a central component of his platform, told The Intercept that he has long argued 287(g) needs to be “dismantled.” “I still believe it to be very bad for Mecklenburg County,” he said. “I believe a significant amount of the public now recognize how divisive and unnecessary this policy is to the business of public safety.”

The Democratic primary is on May 8 — but with no Republican challenger, the winner of the primary will be the new sheriff. Early voting is currently underway.

Charlotte is one of the country’s most segregated cities, and one of its most diverse, with fast-growing Latino and Asian populations. Nearly one in six city residents was born abroad. While North Carolina is a major destination for new immigrants, Charlotte is also home to large communities of Southeast Asian immigrants who moved to the U.S. following wars in the region in the 1970s and 1980s. At the time, many were resettled in poor neighborhoods without much support, and some were caught up in the criminal justice system, which, decades later, can put their legal immigration status at risk.

“Now, 20, 30 years later, these folks are being pulled out of their families to be sent to countries that they sometimes never lived in,” Cat Bao Le, executive director of the Southeast Asian Coalition in Charlotte, told The Intercept. “It’s a different path, but if you look at the roots, it’s the same as what other communities are facing. It’s over-policing in our neighborhoods that created this.”

“It’s up to us to move beyond the thinking that this is just an issue for this community or that community,” she added, noting that the fight over 287(g) brought a range of Charlotte groups together, some for the first time. “We have a critical mass, if we identify what can bring us together.”

Charlotte is also home to a large black population that is all too familiar with failed police policies, and the city is in the midst of a political reawakening following the 2016 police killing of Keith Lamont Scott and the large protests that ensued. Those street protests have turned into civic engagement and increased scrutiny of local law enforcement. Advocates calling for an end to 287(g) also criticized Carmichael’s practice of placing teenagers in solitary confinement, and his decision to replace in-person jail visits with video visitation.

“We are a very different city,” said Braxton Winston, a protester-turned-Charlotte City Council member, following what people there call the Charlotte uprising. “In terms of who is literally at the table — I’m a prime example of that, but there are so many others whose voices would not have been there at certain points in time.”

Today, Winston is one of those leading the charge against the county’s participation in 287(g). “It’s a really bad policy,” he told The Intercept. “When you look at the intent and the cost, not in terms of dollars but harm done to the community, I think it’s pretty clear.” In a city struggling to improve police-community relations, he added, “the relationship is the main part of it. You have to be able to form some kind of trust.”

“I think a lot of people do believe that we need comprehensive immigration reform — but this is one of these polices that the federal government have put out there to get a result in place of that reform.”

Charlotte’s debate over 287(g) is hardly isolated — depending on local officials’ embrace or rejection of President Donald Trump’s immigration policies, cities and counties across the country have been both eagerly signing up for and fighting to leave the program.

Shortly after his inauguration, Trump signed an executive order instructing the Department of Homeland Security to pursue new 287(g) agreements, and last July, acting ICE Director Thomas Homan pledged to “triple” the number of agreements by the end of the year. Of the 76 agreements currently in place, 47 were signed after Trump took office, including six that had been approved previously. In fiscal year 2017, nearly 26,000 people nationwide were processed as part of the program, according to ICE, with nearly 6,000 ultimately deported.

But some agreements have been terminated — at least 35 over the last 10 years, according to a review of the program by the Center for American Progress. Some agreements were called off by ICE itself — as was the case in Maricopa County, Arizona, where a Justice Department investigation found that the local sheriff’s department, under then-Sheriff Joe Arpaio, engaged in systemic and unconstitutional racial profiling of Latinos. ICE also called off its partnership with Alamance County in North Carolina after the Justice Department found similar patterns there.

Trump’s election, and the all-out attack on immigrants unleashed by his administration, also prompted others to reconsider their ties. At least three agreements have been terminated since Trump took office. In February 2017, the sheriff of Harris County, Texas, ended his department’s agreement with ICE, citing the program’s impact on the department’s resources. In March 2018, New Jersey’s Hudson County withdrew from the program following pressure from the local community, and in California, the Orange County Sheriff’s Department called off its 287(g) agreement after the state passed legislation setting limits on local agencies’ collaboration with federal immigration enforcement.

An ICE spokesperson told The Intercept that 287(g) is an “invaluable tool that allows ICE to have a presence in local jails across the country.” “ICE continues to conduct outreach to educate local law enforcement agencies about the program and identify new potential partners,” the spokesperson added.

Following Hudson County’s withdrawal from the program, John Tsoukairis, field office director of ICE Enforcement and Removal Operations in Newark, said he regretted “the loss of such a strong public safety partnership.” “I find this decision troubling, as the security needs of citizens should be the priority, not sheltering criminal aliens,” Tsoukairis said in a statement.

“Particularly after the Trump administration came into power, there was a real sense from local communities that this was wrong, ICE is wrong, and that local communities, in order to feel safe, at the bare minimum need their local police to work and protect them rather than do ICE’s dirty work,” said Julie Mao, an attorney with the National Immigration Project of the National Lawyers Guild. “People are waking up and trying to end these collaborations. Unfortunately, we’re also seeing that in places that are anti-immigrant and want to follow Trump’s deportation agenda and go after people of color, they’re signing up very happily to the program.”

“You’re seeing places like Charlotte, where they’re going through a criminal justice — racial justice — reckoning, wanting to end police deputization as immigration agents,” she told The Intercept. “There are also places like southeast Georgia, and southern to northern Texas, that are wanting to join the program having never heard of it until the Trump administration.”

In some states, mostly in the south, local law enforcement “is a gigantic funnel for ICE’s and Trump’s deportation machine,” Mao added, pointing to a study that found that in the first four months of the Trump administration, immigration arrests were up 75 percent for the ICE Atlanta field office, which covers Georgia and the Carolinas. In those states, the number of immigrants arrested who had no criminal convictions increased by 500 percent, according to the study.

“Basically, people’s solution was not to leave their house. That was pretty much the only thing they could do,” said Mao, adding that a number of arrests were made during traffic stops. “Or just be very afraid and basically drive at the risk of being deported.”

Ending 287(g) alone won’t ease people’s fears, Charlotte advocates say, but it’s a more practical approach to the sometimes-vague notion of sanctuary some have called for elsewhere. “The term doesn’t really mean a lot. What does it mean?” said Merino, of Comunidad Colectiva.

“The question for our leaders is: Do they want to keep us safe? And do they want to build trust or not?” echoed Bao Le, of Charlotte’s Southeast Asian Coalition. “287(g) is just kind of a symbol for that question.”

Top photo: Protesters march during a rally in support of undocumented immigrants in Charlotte, N.C., on May 1, 2017.