
A dead man's switch for your computer? - mvip
http://blog.viktorpetersson.com/post/108852454049/a-dead-mans-switch-for-your-computer
======
ryan-c
Reminds me of Jacob Applebaum's udev rules for mouse jigglers:
[https://github.com/ioerror/udev_antiforensics](https://github.com/ioerror/udev_antiforensics)

~~~
sneak
This looks like useful software. His claim that it's now integrated into
systemd is not supported by the patch he links to, though. Based on the
systemd upstream patch, it looks like it just locks if a certain manufacturer
of forensics tools are connected. The github repo you've linked locks the
screen on _any_ USB HID attachment, which seems much safer.

------
kator
I built a program that automatically locks my OSX machine when I get far
enough away from it. It uses iBeacon ranging and I have the beacon in my
pocket. Debated on sharing with others but I never managed to clean it up
enough to be proud of sharing it.

~~~
icebraining
There's a program for Linux that does the same, but using your phone (or other
Bluetooth device) called blueproximity. It had a slight tendency for false
positives, though - sometimes it locked the screen even with the device less
than a meter away.

~~~
taltman1
I used blueproximity successfully with my Linux laptop. I bought the smallest
bluetooth headset I could find ($25), removed all extraneous parts, and
carried it on my person (not my bag). It was so small that I didn't notice it.
Effectively like two-factor authentication for unlocking my laptop.

It's unwise to use your phone for this purpose, because a phone and laptop
might both be swiped if you're not holding on to both. This has happened to
folks at cafes or on mass transit in the Bay Area.

~~~
lgeek
I've tried to use blueproximity at some point (mostly for convenience because
I sometimes forget to lock my screen), but the range of BT devices is too
large for comfort. I could be anywhere in my flat or in the medium-sized open
plan office at work and the phone in my pocket would still be in range.

~~~
icebraining
Have you tried configuring it? It has a slider that you can adjust to set a
minimum power level, so that if the device is too far away it locks anyway,
even if it can still detect it.

------
falcolas
Tails, a "Live CD" operating system which relies on Tor for all communication,
does something like this at the OS level: If the media you are running Tails
from is removed, the OS immediately writes over itself in RAM and shuts the
system down.

Still capable of being worked around, but looking into that may help identify
how to best implement a dead man's switch.

------
wongm
To me a simple 'device proximity' check described in the article would not
work if an adversary forced you to remain near the computer.

A 'vigilance control' device would work as intended in these cases - a message
is issued to the user (possibly via covert means), and failure to respond
locks the device:

[http://en.wikipedia.org/wiki/Dead_man%27s_switch#Vigilance_c...](http://en.wikipedia.org/wiki/Dead_man%27s_switch#Vigilance_control)

------
vezzy-fnord
Dual Core (nerdcore rapper) wrote a bunch of anti-forensics scripts a couple
of years ago, some quite kooky, which he presented at DerbyCon. Talk is worth
watching [1], and the code [2].

[1]
[https://www.youtube.com/watch?v=i3nLrJrkYOc](https://www.youtube.com/watch?v=i3nLrJrkYOc)

[2] [https://github.com/int0x80/anti-
forensics](https://github.com/int0x80/anti-forensics)

------
robotkilla
A bit different but I've considered releasing all of the stuff i own, certain
accounts etc. into the public (or into the hands of some trustee) after i die
+ some specific period of time. I would need to automate everything i have and
that task is daunting for something I wouldn't even get to enjoy.

------
fsk
It's kind of pointless. If the police have already identified you as a target,
there are too many other tactics they can use. For example, they could just
set up a hidden camera that records you when you are using your PC.

~~~
IkmoIkmo
Well for one this is a post in response to the Silk Road arrests in which a
DMS would've saved him. Not pointless at all.

Sure over time their methods will evolve but ask Ross if he'd rather have had
a DMS or not. It'd be unequivocally yes.

If your point is 'if you're a big enough target, you're pretty much fucked
whatever you do given enough time' then yes that's probably true, too.

~~~
hotgoldminer
If they observe the computer locking upon you removing the FD, wouldn't they
induce the connection? Unless it irrevocably makes the system inoperable, I
don't see this as solving for the larger problem.

------
sarciszewski
It turns out that this has already been made before.

[https://github.com/defuse/swatd](https://github.com/defuse/swatd)

~~~
mirimir
Using dm-crypt/LUKS, there's a very fast and total wipe to execute when
sensors fail.

Let's assume that /dev/sdb1 is the LUKS volume. First backup the LUKS header:
"cryptsetup -v luksHeaderBackup --header-backup-file=/tmp/LUKS-header
/dev/sdb1". Then encrypt (gpg -c) the LUKS-header, and anonymously stash a few
copies online. This is the weak point. You must remember where at least one of
them is, and also remember the passphrase.

When sensors fail, swatd runs "head -c 1052672 /dev/urandom > /dev/sdb1; sync;
shutdown -P now".

To recover, you would just boot into initramfs, restore the LUKS header, and
reboot.

~~~
wyldfire
'shutdown -P now' is slow, maybe 'echo b > /proc/sysrq-trigger' is more
effective. Trick is knowing when that sync is "really" done.

~~~
mirimir
How about "head -c 1052672 /dev/urandom > /dev/sdb1; xinput set-int-prop 2
"Device Enabled" 8 0; xset dpms force off; xscreensaver-command --lock; sync;
echo o > /proc/sysrq-trigger"? That way, the keyboard and display would be
gone while sync was completing. Also, does rebooting protect better against
reading RAM than shutting down?

~~~
mirimir
This works well, and is very fast:

head -c 1052672 /dev/urandom > /dev/sdb1; xinput --disable 9; xinput --disable
10; xset dpms force off; sync; echo o > /proc/sysrq-trigger

------
Retra
I was thinking of a voice-activated command that locks the UI while it nukes
everything. But while this is happening, it keeps a safe image of the desktop
up with basic mouse functionality, so the user doesn't know it is doing
anything for a little while.

Of course, I have no use for such a thing, so I would never waste my time
implementing it...

------
mayoff
I thought about this too when I read about how the FBI seized Ulbricht's
laptop. I decided that a simple string isn't sufficient. You want the loop to
be either a conductor or fiber optic, so that the system can detect when the
cord is cut (not just when a USB device is pulled out).

~~~
jasonl99
How about a lanyard that has a magnetic connector (like Apple charging ports).
So it just a small amount of force to disconnect, but easy to stick back
together if you forget it was there when you got up to visit the rest room.

Another thought, what about a little coin-sized watch battery device that does
bluetooth low-energy. Press a button it locks your computer (or triple click
wipes something, etc).

~~~
mayoff
A lanyard with a magnetic connector doesn't suffice. If the enemy cuts the
cord, the magnetic connector won't release and the computer won't know
anything has happened.

~~~
TheLoneWolfling
If the enemy cuts the cord, the loop of wire in the cord will be cut, and
hence the computer will know something has happened.

(i.e. you have a lanyard with a magsafe-like connector with two pins. There's
a resistance wire that runs inside the lanyard from the connector, up through
the loop, and back to the connector. The computer checks that the resistance
remains the same.)

If you want to get fancy, you can embed a RC network in the lanyard and have
the computer sweep frequencies measuring reactance.

------
derekp7
I like the idea of having a separate decryption device. OS reads encrypted
data from hard disk, sends it over an encrypted link to your cell phone, which
partially decrypts the data block (using one pass phrase), and sends it back
over the encrypted link to the laptop. OS driver then finishes decrypting that
block using a second key before passing it to your program. Writing back data
just requires a public key, so write operations don't have to go to your cell
phone. The idea is that your drive would never be fully unlocked, and the
computer wouldn't ever have the full decryption key on it (neither would your
phone).

Add in the always-on voice recognition that some Android phones have, and have
the key wipe itself as soon as it hears "Freeze... FBI".

~~~
grimman
Which will work until that fateful day when you're watching a movie... ;)

------
thaumaturgy
What you want is an RFID keyfob/detector. There used to be a writeup on a
homebrew version of this at [http://hackaday.com/2013/09/07/hidden-rfid-
reader-locks-work...](http://hackaday.com/2013/09/07/hidden-rfid-reader-locks-
workstation-unless-keys-are-present/) \-- but the link that article references
is rotten now. A sufficiently motivated person should be able to dig up
instructions somewhere.

A few years ago there were companies that did this for most operating systems,
and fairly inexpensively too, but I'm having trouble finding them now.

~~~
bigbugbag
Anything rfid can easily be duplicated.

~~~
padelt
A simple readonly RFID tag - agreed. But think "smartcard with wireless power
transmission" like [1]. These should be able to ensure cryptographically
secure communication and identification. At least MitM-attacks without
physical access to the card should be unfeasible, right?

[1]
[http://en.wikipedia.org/wiki/Contactless_smart_card#Security](http://en.wikipedia.org/wiki/Contactless_smart_card#Security)

~~~
thaumaturgy
I don't think perfect security needs to be the goal here. You just need to
have your device automatically protect the data on it when you're separated
from it -- whether it's the state in suits, or just random laptop theft in San
Francisco.

If you're up against an enemy capable of realizing ahead of time that you've
RFID-protected your device, and capable of cloning your RFID tag without your
knowledge, then you're probably screwed no matter what you do.

------
mixologic
This might work once, for somebody. Then law enforcement would understand what
it is for, what it does, and cut the lanyard/string instead of removing the
usb stick before apprehending the device.

~~~
hayksaakian
Which is probably why the author mentioned wearables with Bluetooth.

Less conspicuous, and no strings to cut.

~~~
bigbugbag
and way easier to workaround, nothing to cut simply duplicate the wireless
signal.

~~~
exprL
How would you duplicate a wireless signal that contains an “answer” to a
changing challenge (e.g. sign this message with the secret key)?

~~~
TheLoneWolfling
Easy. You do a relay attack.

I.e. instead of comp -> wireless -> device, you go comp -> extender <comp> ->
extender <device> -> device -> extender <device> -> extender <comp> -> comp.

------
ipsin
Independent of, and in addition to, other locking schemes, how about an active
process that monitors for either high acceleration (the laptop being moved) or
noise above a certain threshhold?

~~~
lgeek
I remember writing a script at some point to lock the screensaver in case of
high acceleration or if the laptop is tilting by more than a few degrees. The
idea was to lock it if was snatched (or just moved around).

However, that would only be effective against a petty thief and not against a
forensic team. In that case you'd probable want to additionally flush the
filesystems (if you care about data integrity in case of a false positive),
overwrite the encryption keys in memory (maybe on disk as well, but then
there's no coming back without a backup) and shut down. I wonder if the init
scripts prompting for the password, cryptsetup and the LUKS subsystem have
been designed to always overwrite copies of the entered password and decrypted
keys ASAP.

------
brudgers
While a dead man failsafe is a good idea - facial recognition would be my
preference for situations like that described in court, the bigger issue is
compartmentalization. Whole disk encryption sounds good, but the flip side is
whole disk decryption and that doesn't sound so good and didn't work out well
when it mattered.

Based on the testimony everything was encoded from the same one time pad so to
speak. That kinda' misses the point of one time pads.

Anyway enough thinking like a criminal or a spy for one day.

------
tomphoolery
> If the the computer loses connection to the device, it auto-locks.

If there are any Apple product developers listening, I'll _definitely_ buy the
next iPhone if part of its feature set is that as long as the phone is on and
in my pocket, I never have to type in a password to unlock my computer(s). It
would be even better if that feature was extended to developers so any
developer could use the fact that my phone is in close proximity to my
computer as grounds for successful authentication.

~~~
bentcorner
[https://news.ycombinator.com/item?id=8917992](https://news.ycombinator.com/item?id=8917992)

------
avinassh
I remember reading about that if HDD can be put in a magnetic field, it will
be destroyed. If my door/passage can be set to generate magnetic field enough
to destroy HDD, then as soon as authorities take out the computer out of your
home, the HDD will be destroyed.

But I have no idea how practical is this.

~~~
dagw
You probably read about it in Cryptonomicon (I know that's where I read about
it), but I don't know if Stephenson made it up or not.

As to practically It seems quite unfeasible. First of all since magnetic
forces fall off according to the inverse square law, you're going to need a
seriously large magnet to for it work at say 1 meters distance or so. You're
basically going to have seriously retrofit your entire house, and it's going
to be very hard to hide. Secondly and more importantly even the most powerful
commercial hard drive degaussers require that the drive be in contact with the
magnet for up to 10 seconds to guarantee that all the data is erased, so
someone just walking through a door isn't going to be in the field for
anywhere near enough time.

~~~
verytrivial
Unless you can get your hands on a powerful magnetic monopole, the field falls
off with the inverse CUBE of distance. (Note: noone has so far managed to get
their hands on a magnetic monopole, powerful or otherwise.)

~~~
marcosdumay
It can still fall with the inverse of the distance by smartly assembling
several dipoles.

Anyway, the time issue remains.

------
rndmize
I believe there was a post just yesterday for a piece of software that would
lock and unlock your machine based on proximity to your phone through
bluetooth.

Found it:
[https://news.ycombinator.com/item?id=8917992](https://news.ycombinator.com/item?id=8917992)

~~~
thaumaturgy
Only MacOS/iPhone though.

------
Jekyll
I don't know if I'm missing something here... but what's wrong with running
your laptop directly off the mains without a battery and unplugging the cord
if necessary so the computer shuts down?

~~~
Pwntastic
There are tools available to law enforcement that allow them to splice into a
power cable and convert it to battery power while still online

edit: i found it:

[http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/](http://www.cru-
inc.com/products/wiebetech/hotplug_field_kit/)

------
fit2rule
Everyone has their own unique heartbeat signature. What we need is a way to
hear that heartbeat, and if its not the right signature: erase/destroy/etc.

~~~
kefka
I think you're on to something there. Biometrics might be the way to go here,
but is difficult in implementation.

First security in layers is the best option.

1\. USB HID watcher that shuts down system when plugged in. If we use a mouse,
we can exclude that. But any other HID, shutdown -r now.

2\. Fingerprint scanner. It's not foolproof, but does make duplicating
fingerprints a pain if you dont cooperate. And jailcells usually have
concrete. No more fingerprints :)

3\. Most laptops have webcams built in. I'm looking in OpenCV FaceRecognizer
class to see how it works, and if it's viable for fingerprinting a user. We
could also do other checks, like 3d facial recognition over multiple video
frames.

4\. We could also potentially use the accelerometer built in laptops. When
others have made a sshd knock script, we could provide a knock script to the
physical device.

5\. Lock on ac power removal. Simple and effective, unless the enemy has AC
separation tools.

There's a few ideas. And of course, mix in live filesystems in ram, or
virtualbox funniness, and you're in business.

------
jamies888888
This would be a better concept if it just used your mobile phone proximity
over Bluetooth.

------
lurkinggrue
Get into the habit of locking your computer the moment you move away from it?

