[HN Gopher] PAM Duress - Alternate passwords for panic situations
___________________________________________________________________
PAM Duress - Alternate passwords for panic situations
Author : xanthine
Score : 327 points
Date : 2021-08-22 18:15 UTC (4 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| f1refly wrote:
| There's always a big issue with systems like this: Any
| sophisticated attacker will have an image of the machine he's
| trying to get into at hand to stop exactly what this pam module
| is trying to achieve from happening.
|
| All this would do is make you appear in a worse light to the
| deciding judge when it comes to trial or get your other kneecap
| shattered in a not so civil situation.
| t0mas88 wrote:
| Lawenforcement yes, but I'm not sure most criminals are digital
| enough. Especially if it all looks just normal logged in, but
| in the background deletes some hidden files.
| f1refly wrote:
| People who would want the data of someone knowledgable enough
| to install a custom pam module and write a script to utilize
| it are most likely also sophisticated and informed enough to
| know what to look for. This is not some street thug, it's
| most likely either law enforcement or organized crime who
| know very well what they want and that it's supposed to be on
| your machine.
| intellix wrote:
| So you're saying if I'm held at gunpoint or forced to surrender
| my password at the US airport that a password to clear my
| account of anything would be useless?
|
| Neither of them know anything about me.
|
| It reminds me of the Trezor hardware wallet that allows you to
| have multiple passwords into your account. If your forced to
| give access you can log into the version with little in it.
| Nobody knows that you have secondary accounts with more in
| it...
| jeroenhd wrote:
| If you're held under gunpoint, that script that wipes your
| entire hard drive will only make your day worse.
|
| AFAIK if you actually get detained and questioned at
| airports, your drive will already get imaged before any
| password is even tried. You may be able to get away with this
| on a mobile device where this feature isn't generally
| expected (because who uses Linux on a smartphone in the first
| place).
|
| I always wonder at what scenarios like these are supposed to
| be about. If saying no is not an option, pissing off your
| captors by giving them fake info probably isn't either.
|
| I don't know what law enforcement would be looking for on my
| work drive, but if saying no is no longer an option, my
| encryption password isn't worth getting shot over.
| Spooky23 wrote:
| It's silly nerd porn.
|
| The "real" problem is either: (a) You know the authorities
| want access to your data because <x>, and you travel across
| a border with it. (b) You possess sensitive information and
| are not aware of law enforcement's desire to get it; (c)
| You're swept up at random; (d) You're a criminal, or carry
| a paper trail of potential illegal activity.
|
| Solutions:
|
| (a) Means you are stupid. The only way to win is not to
| play.
|
| (b) Means you either didn't follow your employer's security
| guidelines or aren't aware of the risks associated with
| whatever is on your device. You can't solve that problem
| without understanding that.
|
| (c) You should use discretion re: what you cross a border
| with and either accept the risk or do something else.
|
| (d) Don't really care. See (a).
| TeeMassive wrote:
| > If you're held under gunpoint, that script that wipes
| your entire hard drive will only make your day worse.
|
| Then I'll just use a script that doesn't make it look like
| I deleted everything.
| nudpiedo wrote:
| Why not honeypot into a docker with fake data? Everyone
| would be happy (during a first moment). Sure if the attacks
| t is well informed then they will double check whether the
| target they got in is real or not.
| ljm wrote:
| "Okay okay! The password is hunter2, go on and try it,
| just don't shoot me!"
|
| _Bad guy types in honeypot password_ A
| new update to Docker is available. Restart now to
| apply the update or subscribe to a Pro account
| to delay this update.
|
| "Oh, bugger."
| varjag wrote:
| It doesn't have to wipe your drive, just do reasonable
| things like kill your sensitive messenger accounts and
| clean up the history.
| shawnz wrote:
| What does it matter if your drive is imaged if you are
| using full disk encryption?
| dailyanchovy wrote:
| They can try their luck again at having you give access.
| shawnz wrote:
| The duress login shouldn't reveal that anything is
| happening, so they have no reason to suspect you're using
| such a feature at all. Thus there would be no reason to
| ask you to log in again, and even if they do, you can
| simply use the duress credentials a second time.
| eurasiantiger wrote:
| If they can monitor network connections, they can see the
| duress connections, too.
| shawnz wrote:
| You don't need to make it take any network actions, but
| even if you wanted to do that you could just use TLS. It
| would easily blend in with all the other services that
| use TLS as part of their normal operation.
| dredmorbius wrote:
| https://xkcd.com/538/
| shawnz wrote:
| The duress credentials are exactly how you avoid the
| "pipe wrench" scenario. The point of the FDE in that case
| is simply to prevent them from looking on the disk
| without your supervision.
| dredmorbius wrote:
| The duress credentials keep the pipe wrench from being
| _useful_.
|
| They don't keep it from being _applied_.
| shawnz wrote:
| If the pipe wrench is getting applied regardless, that's
| a much different situation. In that case you could simply
| not comply at all.
|
| The duress credentials are meant to create plausible
| deniability of non-compliance, by giving the appearance
| of a genuine login which just reveals nothing.
| dredmorbius wrote:
| Understood and agreed. This depends heavily on what the
| investigator expects to find. If the duress key removes
| information known to be present ... out comes the wrench.
|
| Or you could just be dealing with someone who DGAF. This
| ultimately seems to be a chief characteristic of many
| situations in which strong crypto is proposed. It's the
| breakdown of civil liberties, rights, and rule of law
| which might be the true ur-problem here.
| nudpiedo wrote:
| If the attack is in hot the data is unencrypted, so
| getting the login password will (usually) also give
| access to the unencrypted disk (already mounted)
| [deleted]
| tedunangst wrote:
| Without knowing what your captor already knows about your
| device, deleting data they may expect to find is a pretty
| high risk gambit.
| EamonnMR wrote:
| If your attacker has a full image of your system why are they
| bothering with duress?
| dogma1138 wrote:
| Also depending on the jurisdiction depending on the
| circumstances triggering it can be a felony the same as
| destroying evidence or tampering with an investigation, if a
| court compelled you congrats you've just earned yourself a
| contempt of court charge that can last pretty indefinitely.
|
| In a jurisdiction that doesn't adhere to the rule of law you
| are already screwed.
|
| What people often don't seem to comprehend is that if you get
| picked up by a "secret police" in the middle of the night
| it's pretty much game over already.
| trothamel wrote:
| Deleting data, if someone can prove it, also opens you up
| to Adverse Inference, which means the jury can consider the
| plaintiff's reasonable inference as to what the destroyed
| documents contained.
|
| https://en.wikipedia.org/wiki/Adverse_inference
| [deleted]
| nickdothutton wrote:
| I miss the SecurID stress PIN.
| t0mas88 wrote:
| You could set this up with three possible passwords, #1 for
| normal login, #2 for what looks like normal login but deletes
| most sensitive things and #3 that wipes the disk encryption keys
| and reboots. If forced by criminals or a not so free government
| enter #2 and pretend everything is normal. If pressured by the US
| or EU government with your lawyer present enter #3, see it fail
| and claim you forgot the encryption keys to make it boot (which
| is technically true, just never admit you made it delete them
| since that's illegal in most places)
| loup-vaillant wrote:
| Using #3 could land you in jail indefinitely in the UK I
| believe: if they don't believe you forgot the password, they
| can interpret that as a refusal to give them the password (or
| unlock the computer), and jail you for this... until you give
| them the password.
|
| Which you can't, because there _is_ no password at this point.
| So either you admit that you just wiped your computer with the
| panic password, or you can shut up and rot in jail until you
| die.
|
| You need a way to make them believe you. Covertly wiping your
| computer is probably not going to end well.
| jrockway wrote:
| Depends on the crime, I guess. If you face execution for
| murder or treason because of the data on your hard drive,
| life in prison is an upgrade.
| akerl_ wrote:
| This is why I don't keep evidence of committing
| murder/treason on my computer.
| dredmorbius wrote:
| Evidentiary tests may change.
| drexlspivey wrote:
| So in the UK they can put you in prison for life without
| being charged or found guilty of any crime unless "they
| believe you"? Any source on that?
| aymendjellal wrote:
| I remember Kali Linux had a patched LUKS implementation for full
| disk encryption with self destruction password
|
| https://www.kali.org/blog/emergency-self-destruction-luks-ka...
| idlewords wrote:
| Real password:
|
| woD3PRBgELFHH9nuABH]ksD
|
| Duress password:
|
| duress123
| t0mas88 wrote:
| Duress password "1234", just make sure you have a very good
| backup and disable SSH password login. Anyone trying to snoop
| around is going to trigger it.
| bredren wrote:
| This is a joke, but the person under duress also has to sell
| that they are under duress. This isn't something you can really
| "train" the average person to do on command.
|
| It reminds me a bit of Jon Lovitz Pathological Liars Anonymous
| bit. "Okay! Here's the password...ya that's the ticket."
|
| https://youtu.be/hV85E2S-Idw?t=45
| als0 wrote:
| What I never quite understand is how this can work in practice.
| When someone is under real duress, they do not always behave in a
| logical way and may be too stressed to remember certain details
| like a password that they never use...
| drexlspivey wrote:
| You don't understand how someone can remember a password under
| stress?
| INTPenis wrote:
| I completely agree. I have long passphrases.
|
| The only way I can imagine remembering a duress passphrase is
| to make it slightly different in some way.
|
| So that means I'd have to keep updating my duress passphrase
| alongside my regular passphrase.
|
| Either way I love this idea and I might actually start using
| it. I'm just trying to figure out how to set a practical
| passphrase I will be able to remember. My passphrases generally
| are in muscle memory after having entered them for a few days.
|
| Edit: A simple system I just came up with is to use one of the
| numbers in the passphrase and increment it by one to indicate
| each level of duress.
| C19is20 wrote:
| Practise.
| MonadIsPronad wrote:
| 'In practice' is correct, no?
| marton78 wrote:
| I think they meant "you should practise your duress
| password".
| joefife wrote:
| Don't be that person, especially when you're wrong. Both
| forms are acceptable.
|
| "In Australian and British English, 'practise' is the verb
| and 'practice' is the noun. In American English, 'practice'
| is both the verb and the noun."
| bonzini wrote:
| I thought he wrote that reply as a suggestion, i.e. that
| you should practise typing the duress password beforehand.
| michael-ax wrote:
| perhaps i could use that as a screensaver password to share with
| my girlfriend? it would close spreadsheets, emacs, un-mount
| journals and personal drives. PAM's used to reauth from the
| screen-saver, right?
| DangitBobby wrote:
| This could result in serious personal harm if the individual(s)
| causing the duress sense something is up, which they almost
| certainly will if things start magically disappearing or locking
| up. You better make sure that whatever you are protecting with
| this is more important than your personal safety.
| bredren wrote:
| I think they would be more likely to notice that you did not
| put up enough fight. Most people are not great actors.
|
| Also, if you're being physically compelled to provide a
| passwords it seems your personal safety is already compromised.
| DangitBobby wrote:
| Your safety is compromised, but that does not mean the danger
| cannot be escalated. If you are mugged at gunpoint, are you
| going to hand over all your cash and keep your hands up as
| much as possible or are you going to swiftly cut up your
| credit cards?
| solatic wrote:
| I mean, that's pretty cool, but who enables password logins for
| SSH anymore? If I'm an attacker, I'm going to wonder why my
| target of duress is giving me a password and not a private key;
| most likely if I have access to my target of duress, then I have
| access to some kind of client / endpoint that my target uses to
| connect to the network, and that client will have the SSH private
| keys likely already loaded into ssh-agent.
|
| Maybe a more modern concept would be to both a) have a duress
| private key, that triggers duress scripts in the same way, b) an
| implementation of ssh-agent that adds the duress private key when
| a duress password is entered?
| jstanley wrote:
| I don't think this is specific to SSH.
|
| You could just as easily use this on your client machine and
| have it delete your private keys if you try to login with the
| duress password.
| tyingq wrote:
| Pam is for more than just ssh. This could wipe data on a Linux
| machine for a local login, gdm, sudo, and so on.
| xaduha wrote:
| I think it should be pretty trivial to have a hidden dualboot,
| let's say you have some plain boring Windows that takes 10% of
| you drive and 90% is unassigned. In reality that's encrypted LVM
| disk with bootloader on a flash drive that is easily tossed away
| if necessary. Or zapped in a microwave if you watched too much of
| Mr. Robot.
| zeusk wrote:
| or you know, just a vm disk image that is deleted with the
| duress password.
| mszcz wrote:
| I think VeraCrypt already enables this. It's called Hidden OS
| or something like that.
| sodality2 wrote:
| https://veracrypt.eu/en/docs/hidden-operating-system/
|
| Not sure if there's a linux alternative.
| flenserboy wrote:
| Would love this as a standard option for phones / desktop logins.
| ascar wrote:
| > _This is transparent to the person coersing the password from
| the user as the duress password will grant authentication and
| drop to the user 's shell._
|
| I would assume the user shouldn't understand that he was given a
| duress password, so is transparent the right term here?
| rafael859 wrote:
| Nice, pretty cool stuff. In high-school I worked on something
| similar (https://github.com/rafket/pam_duress), though this seems
| to have a somewhat cleaner implementation which is nice to see,
| and hopefully a more eager maintainer.
| codetrotter wrote:
| I'm reading the readme of your project, and got to the part
| where it says
|
| > for example a mail could be automatically sent from his
| computer to a rescuer, a script could delete sensitive files in
| his hard-disk or a certain Rick Astley song could be
| appropriately played
|
| And I'm just imagining someone having set two duress passwords;
| one for kidnapping situations and one that they put there as a
| joke. And then they get kidnapped and they try to input the one
| supposed to call for help, but they misremember so they input
| the rickroll trigger instead.
|
| And the kidnappers are like "hey what the hell, you think this
| is funny man? turn that off" and the kidnapped person cries for
| having messed up their one chance at calling for help.
| qorrect wrote:
| Was a good story :).
| oasisbob wrote:
| Training is very important in duress systems.
|
| I once worked in a place with a keypad duress code on the
| security system. If you prefixed your security PIN with NN-, it
| was the duress version of the code and would trigger a silent
| alarm.
|
| This was setup long-ago, and not communicated. One night, the
| keypad was acting glitchy. Partially out of frustration
| (countdown is running), and partially to test, I ended up
| accidentally engaging the duress code by tapping a convenient
| corner number, which resulted in NNNNNNNNN-PIN.
|
| After law enforcement had surrounded the building, a quick chat
| and search alongside a few officers got it all sorted.
| dheera wrote:
| An interesting way to use this PAM-Duress system would be to
| write a program that
|
| (a) begins recording your microphone and webcam video
| immediately upon login
|
| (b) Aggressively try the hell out of every passwordless Wi-Fi
| network it can detect, then use headless chrome to aggressively
| smack every button to get past the stupid login pages
|
| (c) Stream that video and audio to a server that saves it.
| dredmorbius wrote:
| Use Emergency SOS on your iPhone
|
| https://support.apple.com/en-us/HT208076
| unglaublich wrote:
| or use a cellular network
| yosito wrote:
| Comments are full of gunpoint scenarios, but I think a far more
| likely scenario for most HN readers is law enforcement / customs
| agents asking you to unlock your device during travel or some
| other random checkpoint so they can scan it. In that case, I
| doubt the officer would even have a clue about the use of a
| duress password to selectively and silently delete some private
| data. I think the biggest risk would be that a scan of your
| device could detect the PAM config and duress script which could
| be a flag to monitor you more closely, or might possibly be
| considered illegal itself in some jurisdictions.
| leephillips wrote:
| That is a gunpoint scenario.
| Spooky23 wrote:
| In the US, at minimum you're lying to a federal agent. Never a
| good idea.
| yosito wrote:
| I don't know the legal implications, but if the duress
| password unlocks your device and simply deletes a directory
| or two, and the officer only asked you to unlock your device
| (without a warrant, by the way), how is that lying?
| hirundo wrote:
| Even if it isn't lying, it's destruction of evidence. 18
| U.S. Code 1519:
|
| > Whoever knowingly alters, destroys, mutilates, conceals,
| covers up, falsifies, or makes a false entry in any record,
| document, or tangible object with the intent to impede,
| obstruct, or influence the investigation or proper
| administration of any matter within the jurisdiction of any
| department or agency of the United States or any case filed
| under title 11, or in relation to or contemplation of any
| such matter or case, shall be fined under this title,
| imprisoned not more than 20 years, or both.
| yosito wrote:
| Would that apply to a warrantless search?
| salawat wrote:
| Yes. Sadly.
| Spooky23 wrote:
| Despite rumors to the contrary, the police aren't stupid.
| They are trained to ask questions in ways that elicit a
| confession or falsehood.
|
| The simplest example is asking "Do you know why I pulled
| you over?". Typically, people spontaneously confess to
| speeding, sometimes they break down and admit that someone
| is wrapped up in a rug in the trunk.
|
| The courts have consistently ruled that customs is
| different and you can be searched without a warrant. Don't
| cross borders with contraband or evidence of criminal
| acts/dissident identity/your email correspondence with
| foreign agents/etc.
| muti wrote:
| "You could even spawn a process to remove the pam_duress module
| so the threat actor won't be able to see if the duress module
| was available"
|
| This scenario was considered by the author
| yosito wrote:
| Ah, thanks! I didn't read closely enough.
| stalkingvictim wrote:
| Is my account still censored? Why?
| ape4 wrote:
| I'd like an option like this for Password Safe
| sleavey wrote:
| The Hello World example shows echoing to stdout from the duress
| script. Seems like a bad idea. I don't want to get beaten or shot
| when some rm -rf fails with an I/O error, alerting the attacker
| to what's going on. It seems like it would be more sensible for
| the module to suppress all output by design.
| dheera wrote:
| Just do this in your script rm -rf
| /secret/files > /dev/null 2>&1
|
| That pipes STDOUT to /dev/null and redirects STDERR to STDOUT.
| sleavey wrote:
| Seems like this should be baked in to the module. There don't
| seem to be any circumstances where you would want
| stdout/stderr from duress.d scripts to appear.
| bredren wrote:
| The "guy with the gun" narrative comes up a lot, so this seems to
| counter that? I love the concept. It seems like something that
| would work well in a movie but fail miserably in real life.
| simonlc wrote:
| This is really good, I've had a gun pointed at my head more
| than enough times with all my bitcoins wiped, finally a
| solution to my every day problem.
| mgerdts wrote:
| The company that was pitching my employer retina scanners on data
| center doors 20 years ago had an idea like this. Left eye gets
| you in, right eye gets you in and alerts security.
| LeonM wrote:
| This is also very typical for regular alarm systems with a
| keypad.
|
| A PIN disarms the alarms system, the same PIN + 1 disarms the
| alarm system and notifies security.
| MrStonedOne wrote:
| in ncis there was a security system where the pin had to be
| entered twice, only once would alert security.
| thomascgalvin wrote:
| I worked at a place where the duress code was ROT5: 1234 was
| your normal access code, 6789 lerted security.
| Biganon wrote:
| You're supposed to ROT5 mentally while in a state of high
| stress?
| thomascgalvin wrote:
| It wasn't a well-considered plan. It also wasn't highly
| advertised. I found out because someone happened to
| mention it to me one day.
| danachow wrote:
| It doesn't sound quite as onerous if you just memorize
| two 4 digit numbers by rote. But yes I agree the ROT5 is
| a dumb flourish.
| HPsquared wrote:
| Could use the method in The Wire: press the key on the
| opposite side to the usual key (e.g. 8 instead of 2, 6
| instead of 4, etc.)
| HPsquared wrote:
| This could also work with fingerprint scanners.
| koolba wrote:
| Could also blink Morse code.
|
| It's been done before:
| https://m.youtube.com/watch?v=rufnWLVQcKg
| eps wrote:
| If you wonder whether it's a video of an american pow
| blinking "torture" during an interview - yes, it is.
| tazjin wrote:
| As long as the sides are the employee's choice (i.e. the threat
| actor needs to not be able to know which eye is the duress
| one).
| hanniabu wrote:
| Good point, that's a very important requirement
| HomeDeLaPot wrote:
| And you'd want to hide the eye choosing/scanning process so
| nobody could just watch an employee to figure out their
| preference.
| withinboredom wrote:
| If your threat model is "guy with guns," they'll just follow you
| and snatch it when you think you're safe and unlock the device.
| If your threat model is "government at border" just mail the
| device or data to yourself overnight. Don't be that guy...
|
| I was flying into Atlanta (Intl) with "radioactive" rocks (not on
| purpose, just picked some up near a volcano, they looked cool)
| and they flipped their collective shit. I was taken to a separate
| area where they dumped my stuff next to another guy who got
| pulled into "routine" inspection. This other guy "forgot" his
| phone pin earlier that day... he was still there four hours
| later, after my four hours of reasonably straight forward BS.
| ChrisMarshallNY wrote:
| It's a very cool idea, but I think it would be most useful if
| applied to things like phones. I suspect most people pressed for
| passwords, are using a GUI system.
| lights0123 wrote:
| It uses the same authentication system everything else uses, so
| it would work in any login screen on a system that uses PAM
| (Linux and macOS), not just a terminal.
| luismedel wrote:
| Exactly. It would be great to have a secondary pin (or my
| middle finger fingerprint, for example) in my phone to enter in
| a dummy environment with a few games, some family pics and so.
| lisnake wrote:
| The feature exactly like that exists in Xiaomi phones. It's
| called Second space, and basically allows you to have second
| profile with different apps or accounts. Interesting thing is
| that you can set it up to open when unlocking the phone with
| specific fingerprint. The idea is to fill that Second space
| with dummy info, and unlock it with your little finger, for
| example (or vice versa, use it for sensitive information).
| Obviously, it wouldn't fool thorough phone scan (and if you
| dig deep enough in the settings you can see if the feature is
| enabled) but can be useful at quick cursory scans, like if
| you need to provide your phone at the border
| ChrisMarshallNY wrote:
| It would need to be baked into the OS. With FaceID, I guess I
| could use eyes crossed, as a queue.
| bartvk wrote:
| That'd be neat. With Touch ID, it would be very intuitive
| to configure the middle finger as the trigger to run a
| duress script.
| laurent92 wrote:
| Always configure a non-obvious part of your thumb (or
| left thumb) as Touch-ID. Then when under duress, use your
| normal thumb to make it fail.
| SalimoS wrote:
| You can push the lock button many time (when pulling you
| phone from the pocket for example) and it will require
| lock the phone and require to use your passcode
| anigbrowl wrote:
| I do not understand why any security concerned person would
| use biometric identification for anything, ever.
| dredmorbius wrote:
| If that's what's mandated, you may have little choice.
| bonzini wrote:
| Somebody mandates using biometric identification
| _instead_ of a PIN?!?
| dredmorbius wrote:
| Biometric passports: https://www.dhs.gov/e-passports
|
| Face ID: https://support.apple.com/en-us/HT208109
|
| Fingerprint Readers:
| https://www.samsung.com/us/support/answer/ANS00082563/
|
| These are extant, and either part of or _required_ within
| numerous presently-used systems.
| lxgr wrote:
| Why would being security conscious automatically
| disqualify biometrics?
|
| Security is all about threat models, and I can imagine
| quite a few scenarios where biometrics might fare better
| than passwords. Shoulder surfing and trivial
| passwords/PINs come to mind, for example.
|
| And who said that it's biometrics vs. anything else? It's
| quite advisable to combine authentication factors.
| anigbrowl wrote:
| Shoulder surfing and weak passwords are both something
| you can control at any time. Biometric identification can
| be exploited involuntarily by someone literally using
| force to apply your finger to a device or similar. I
| shouldn't need to say this, it's so obvious that it's a
| common plot device in action movies.
| sabas123 wrote:
| And with a little bit more force they beat the password
| out of me anyway regardless which system I use...
| anigbrowl wrote:
| If you are so easily swayed, you would probably not be in
| an adversarial situation with a government anyway.
|
| But this article is about a system for giving up
| passwords under duress without necessarily compromising
| all your security, such that your antagonist has no way
| of knowing or showing that there's another password
| concealing more important information.
| SalimoS wrote:
| Because there is a difference between identification and
| authentication and unfortunately the Touch/Face ID mixed
| then
| dheera wrote:
| I think on Android you can set up multiple users.
| squarefoot wrote:
| I don't think they hide their existence from each other
| however. If they're like Unix users, then one might see
| something like /home/user1 /home/user2 /home/user3, etc. so
| that all usernames would be clearly visible and the user
| could be then forced to reveal all passwords. The aim is to
| obtain plausible deniability, that is logging in as the
| safest user according to the situation, while at the same
| time hiding all others.
| canada_dry wrote:
| I'd love that feature (android 9+) if it allowed me to
| install some of the gazillion apps (e.g. every bloody fast
| food place that only has deals via their app) but restricts
| them from accessing my real user contacts, emails, msgs,
| gps/location, etc.
|
| Blackberry phones had this feature and it was pretty
| bulletproof.
| dheera wrote:
| I believe users cannot access each others' data. So yes
| you can use it this way. I'm pretty sure it existed at
| Android 9. Are you running stock Android or some Samsung
| bull?
| awinter-py wrote:
| yeah there's that one guy who tried to cross the border from
| canada and got blocked for having scruff on his phone
|
| https://www.huffingtonpost.ca/2017/02/22/canadian-man-custom...
|
| 5 years on we're somehow all managing our own crypto keys, the
| phone is the key to unlock our digital lives, so we're all in the
| counterintelligence game. more tools like this.
| yhoneycomb wrote:
| Good old US. Land of the free. Canadian border agents are
| equally bad, in my experience. Guess it's just part and parcel
| with living in the Anglosphere.
| necovek wrote:
| There are multiple levels of protection one might want.
|
| I.e. when you are being selected for random questioning entering
| US as a non-US citizen, you'd benefit from steganography-like
| approach: you give a password, and relatively bland, non-personal
| stuff shows up, giving appearance of full access to a system.
|
| If you only care about your privacy, the next one is to have a
| destroy-everything script (and it's not that hard: usually,
| passphrases are only used to decrypt the actual encryption keys,
| so overwriting those keys should be super fast). This would also
| work against unsophisticated attacks which are not going to
| really cost you your life.
|
| If there is a potential for you to be a target of a sophisticated
| attack and the attacker does not care about taking your life, the
| biggest benefit is to have a way to inform someone of your
| whereabouts while you are actually giving access, ideally in a
| way that buys you time (eg. "webcam has detected stress on your
| face, please wait another 6 hours before trying to log in again"
| -- sorry, company mandated software, when it happens usually, we
| call support).
| mimimi31 wrote:
| >usually, passphrases are only used to decrypt the actual
| encryption keys, so overwriting those keys should be super fast
|
| I'm not sure if it's really that simple with modern flash
| storage. There might be no guarantee that attempting to
| overwrite some data will actually affect the particular memory
| cells where it is stored. You would probably have to trigger a
| secure erase to reset all memory cells and hope that it is
| correctly implemented by the storage device's firmware.
| IgorPartola wrote:
| This would happen inside the TCM no?
| Nursie wrote:
| This is something TPMs are good for I guess.
| zachberger wrote:
| Even US Citizens are subject to search at the border without
| warrant or probable cause.
|
| Recently I had a CBP officer at SFO ask to search photo gallery
| when returning from vacation.
| grecy wrote:
| Does a US Citizen have to comply?
| amelius wrote:
| Of course James Bond would have an unlock + wait 10 seconds +
| explode option ...
| packet_nerd wrote:
| > I.e. when you are being selected for random questioning
| entering US as a non-US citizen, you'd benefit from
| steganography-like approach: you give a password, and
| relatively bland, non-personal stuff shows up, giving
| appearance of full access to a system.
|
| Is there a practical way to implement this today with Linux? I
| know VeraCrypt supports hidden operating systems, but I think
| only Windows?
| roblabla wrote:
| It's possible to have a truly "hidden container" with
| LUKS/cryptsetup, but it's not exactly a "supported" setup.
| Here's some information:
| https://blog.linuxbrujo.net/posts/plausible-deniability-
| with...
| delgaudm wrote:
| If I understand correctly, this appears to be Linux only?
| raziel2p wrote:
| It's based on PAM (pluggable authentication module) which
| should exist on MacOS and BSDs as well.
| [deleted]
___________________________________________________________________
(page generated 2021-08-22 23:00 UTC)