[HN Gopher] BusKill - A USB kill cord for laptops ___________________________________________________________________ BusKill - A USB kill cord for laptops Author : favourable Score : 255 points Date : 2021-12-15 11:38 UTC (11 hours ago) (HTM) web link (www.buskill.in) (TXT) w3m dump (www.buskill.in) | Hizonner wrote: | That can trivially be done in software using any USB device at | all. In fact, Tails has done it forever, and I bet other things | have too. | | Total ripoff. | lelandfe wrote: | https://www.buskill.in/buskill-laptop-kill-cord-dead-man-swi... | szszrk wrote: | Also magnetic usb cables are quite easily available now. You | could use any tiny usb device and add magnetic feature to it | for around $10 or so. | arein3 wrote: | I guess the best way would be to auto lock the laptop if someone | screams, no hardware needed and if they hold you, you can still | scream to lock the laptop | BrazzVuvuzela wrote: | Just remember to whitelist the Wilhelm scream, otherwise you'll | get a lot of false positives from any TV in the room. | 323 wrote: | But what if you have no mouth? | jonnat wrote: | This comment takes me back to when I didn't have kids. | rje99 wrote: | I feel I would somehow forget its there a lose all my data within | the week... | excalibur wrote: | Yeah, setting it to destroy your data when removed isn't | advisable outside of some very controlled settings. | jdironman wrote: | Not to mention, USB drives fail. | DarthNebo wrote: | Feel like this something similar can be accomplished for Macs | using AirTags/Apple Watch proximity to do specific actions via | Shortcuts App, instead of just locking/erasing remotely using | 'Find My'. | vladvasiliu wrote: | I seem to remember Windows 10 has a similar feature. You can | pair your phone with it, and it supposedly locks automatically | when the phone goes away. I've never seen it work, though... | minimaxir wrote: | macOS Monterey added a "Erase All Content and Settings" feature | that works like the iOS versions by deleting the encryption | key, although as a result the feature only works on T2 and M1 | Macs which encrypt the data at rest even without FileVault. | | It wouldn't surprise me if Apple imports more emergency wipe | features into macOS from iOS. | Cthulhu_ wrote: | Isn't that already a thing? IIRC you can configure your Mac to | unlock if your Watch is in close proximity, so it should be | possible to do the opposite when it goes out of range. | DarthNebo wrote: | Probably something the Shortcuts app could do, I couldn't | find a Watch specific entry when creating one though. So it's | just lock/unlock for now. | ltultraweight wrote: | I thought the self-destruct wouldn't run a script, but would | actually be a physical attack on the laptop like the usb-killer | v2 from a few years back. | WesolyKubeczek wrote: | Looks like "security LARPers" are at it again. I'd bet 99% of | buyers will self destruct their laptop themselves, by | accidentally bumping into the cord. | | And to think now, the same people are pushing the narrative how | PGP is bad. | maltfield wrote: | Hi, I'm Michael Altfield (Founder of the BusKill project). I'll | take that bet because I'm pretty sure <99% of people will ever | enable the self-destruct triggers :) | | BusKill does not ship with destructive triggers. The current | app is limited to locking your screen. Future releases will | include soft/hard shutdown. | | We do have a "LUKS Header Shredder" trigger (which we call | self-destruct as it renders all the data on the FDE disk | useless), but we (intentionally) don't include it by default | and raise the barrier of entry because of the risk of data | loss. | | We'll be publishing a more detailed write-up on the LUKS Header | Shredder in 2 weeks. You can subscribe for updates on our | website (buskill.in) or the campaign directly (crowdsupply.com) | | Also, while I recognize there are limits in PGP, I encourage it | and actively train journalists and activists on how to use it | (though I do prefer messaging solutions that make e2ee required | and use PFS like Signal, Threema, Wire, etc). | martin_a wrote: | Maybe I'm "spoiled" because in Germany there's a need to publish | an imprint on all websites that are somehow "commercial" (having | ads on it would be enough), but this is highly "dubious". | | No contact information (as in "who runs this?") is provided on | the site. Privacy policy is not GDPR compliant (no contact | information provided), no names, nothing. | | This might be fine for a personal blog, but for doing business | this is (at least for me) a no-go. | maltfield wrote: | Hi martin_a, I'm Michael Altfield. I started the BusKill | project in January 2020 with the following article on my blog: | | * https://tech.michaelaltfield.net/2020/01/02/buskill- | laptop-k... | | The above article front-paged on Hacker News, and I got a _lot_ | of people asking me how they could buy one and use it in on | Windows and MacOS. Over the past year, many people have | contributed in porting it to those platforms (I originally just | designed it for myself, and I use Linux). | | The BusKill project is not owned by me. All our work is open- | source, and it's owned by the community. As such, I don't put | just my name on it because it's not just my work. But if you | dig around, you do see my name pop-up in a few places. | | The list of contributors can be found on our documentation's | "Attribution" section. | | * https://docs.buskill.in/buskill- | app/en/stable/attribution.ht... | | The main website is mostly just a landing page, blog, and a | store so people can buy with cryptocurrencies and Tor since | CrowdSupply doesn't run an Onion Service and doesn't accept | crypto payments. | | Not everyone who has contributed to the BusKill project is | still active, but some of us are. You can find our names & | photos at the bottom of the Crowd Supply campaign page: | | * https://www.crowdsupply.com/alt-shift/buskill | | Contact information is provided on the website. There's a link | to it in the Footer* and on the GitHub page. Not sure how I can | make that more clear: | | * https://www.buskill.in/contact/ | Symbiote wrote: | I'm not familiar with the German rules, but GDPR Art. 14 SS1 | says: | | > Where personal data relating to a data subject are | collected from the data subject, the controller shall, at the | time when personal data are obtained, provide the data | subject with all of the following information: | | > (a) the identity and the contact details of the controller | and, where applicable, of the controller's representative; | | Usually, these contact details are in the privacy policy. | | It's certainly unusual for a website to omit this, and in | most cases I wouldn't buy from a site where it's missing. In | this particular case, maybe it's less strange. | | However, I still wouldn't order without knowing from where | the package will be sent. Something from Estonia arrives here | without any import taxes, something from outside the EU can | do (the CrowdSupply site says they handle VAT), but can also | attract high processing fees. | | https://gdpr-info.eu/art-13-gdpr/ | | (Note I'm not interested in buying a BusKill; I'm just | procrastinating.) | maltfield wrote: | All orders are handled by CrowdSupply (via Mouser). They | handle shipping, VAT, import taxes, etc. | | It certainly added cost to the final product, but I figured | it was more fair & transparent to everyone to set shipping | to $0 internationally (I hate it when you finally make it | to payment and only then learn shipping is $20 :/). | Symbiote wrote: | It seems to be from (or in partnership with) | https://www.altshift.in/ in Estonia, leading to | https://twitter.com/MichaelAltfield | maltfield wrote: | Yes :) BusKill is an open-source project. AltShift is my | company. | paulcole wrote: | Would you be happier if the site prevented you from viewing it? | martin_a wrote: | It's not about viewing/trying to track me, but we are talking | about somebody trying to sell me something. Would you feel | fine paying around 100 bucks to... well... whom? | | Just a website with no contact information, no names, | adresses, business registration, whatever? | | As far as I can see, this could very likely be a scam of some | sort, because anybody who's into doing "real", honest, | business would be fine with giving his name and address. | paulcole wrote: | > Would you feel fine paying around 100 bucks to... well... | whom? | | I'd feel fine deciding if I feel fine. | | That's also why I have a credit card. I can get scammed and | not be out $100. | martin_a wrote: | Ok, so you get the item and it explodes in your face. | Whom do you sue? | paulcole wrote: | Probably nobody! | martin_a wrote: | And you don't think there should at least be some | possibility to hold someone liable in case something goes | _terribly_ wrong? | dspillett wrote: | I would. It would save me the time spotting the red flags and | backing away anyway. | | Though a couple of relevant regulations state this should not | be done, and no site is going to send away a potential | customer by saying "we don't want to follow your | laws/regulations so can't do business with you" when they can | instead just get away with just ignoring, or in the case of | sites run from elsewhere in the world claim to have no no | knowledge of, those regulations. | paulcole wrote: | > no site is going to send away a potential customer by | saying "we don't want to follow your laws/regulations so | can't do business with you" | | Many local US-based TV news/newspaper sites do this albeit | with a slightly more opaque message. And customer still | mostly fits because these sites are ad-supported (usually | with a mix of local/non-local ads. | thargor90 wrote: | Yes, we are spoiled. | | I'm not sure it's even possible to have a valid contract with | an unknown party... | FDSGSG wrote: | "Operator of buskill.in" does not seem like an unknown party? | martin_a wrote: | It is. What's the postal address of the "operator of | buskill.in" so I can file claims with him? | FDSGSG wrote: | info@buskill.in | martin_a wrote: | You seem to misunderstand what a postal address is. | | The provided information on this website is not enough to | do legally binding business (at least in some parts of | Europe, it's not only Germany). | FDSGSG wrote: | In Germany you can enter into a verbal contract without | any exchange of personal details. Why would a website be | treated differently? I'm curious. | | As far as I understand German law is very flexible about | what constitutes a valid legally binding contract. | martin_a wrote: | Chapter 2 and 3 of the "BGB" contain several paragraphs | which define legal rights and obligations for doing | business via the internet or telephone. | | SS312f for example defines that customers must receive "a | copy of a contractual document signed by the contracting | parties in such a way that their identity is | identifiable" (translated via DeepL). | | A simple mail address is not an identity in German law, | especially not when doing business with B2C as you always | have a 14 day period to cancel your order (except for | downloads and various, special products). | | edit: If you want to cancel, you must be able to do so | via (offline) mail, too. | FDSGSG wrote: | Sure, they're not following the rules. Why would that | affect the validity of your contract with them if you | purchase good from them? Why would this contract not bind | the seller? | martin_a wrote: | I don't think it is. Neither in B2B and especially not in | B2C. Although I think the consequences would mostly be worse | for the customer, not the seller. | bserge wrote: | If they wanted to be dubious, they could've put up some | fake/stolen information. | | Then you wouldn't question it, which just makes the whole thing | rather useless. | | I always found it funny how people trust Stiftung Warentest. | It's the German equivalent to "Which?", but at least Brits know | they're full of shit. | noasaservice wrote: | https://github.com/hephaest0s/usbkill | | This does the same thing, but you can use any USB hardware as the | entry/remove trigger. And you can script it to whatever you want. | | But... that doesn't sell unneeded hardware. | maltfield wrote: | usbkill is a bit backwards from BusKill. | | usbkill triggers when a device is inserted. BusKill triggers | when a device is removed. It's an important difference. | | I actually didn't start BusKill to sell devices. It was | originally a DIY project. The problem is that after I published | the article describing how to make it, the one manufacturer of | USB-A magnetic breakaways EOL'd their product and it sold-out | (my & Hacker New's fault). It also wasn't for sale outside the | US. | | This campaign is a response to people who asked me how they | could build their own USB-A cable with a magnetic breakaway. | Before they couldn't. Now they can. | | * https://buskill.in/buy | | Of course, you can still build your own. We encourage it. All | our designs are open-source. | | * https://docs.buskill.in/buskill- | app/en/stable/hardware_dev/i... | k1rcher wrote: | This is very cool to see. When I discovered and subsequently | purchased my framework back in October I had an idea for a | homebrewed, 3D printed expansion card, where plugging it | in/activating it immediately executes dban (or some other, better | alternative). | | Or you could always just carry an enormously strong electromagnet | on you :-) | | Very keen on picking one of these up purely for the novelty, | price isn't too bad. Although I think the demographic who would | and could actually benefit from a failsafe for having their | laptop physically yanked away from them is quite small. | maltfield wrote: | Our target demographic is mostly journalists. | | Keep an eye on the number of journalists who are murdered in | oppressive regimes. It's very sad :'( | | * https://rsf.org/en/ranking | yholio wrote: | Good to have if you run a dark net marketplace or a political | disident ring from public libraries. | | An additional refinement is to autolock the device if a certain | personal key combo (ex. Shit - vol up - vol down) is not pressed | every few minutes in response to an audible click. If not | unlocked in a minute or so with a complex password, the device | halts to a disk encrypted state and unpowered ram, minimizing the | window attackers have to recover RAM state. | Jerrrry wrote: | Instead of a personal key combo, a dongle with an OTP code. | | Both the dongle and the computer have accelerometer-bump-tilt- | oh-fuck-support. | | A OTP has to be entered every 5 minutes, or a secure | screen/dead sequence starts. | | Sudden accelerated movements or a lack of presence-detection | would also start the sequence. | MayeulC wrote: | I once wrote a script to automatically lock my computer if I | got too far away from it, back when I was wearing a bluetooth | wristband. | | I guess you could do the same, but shut down the computer | instead. | reaperducer wrote: | _I once wrote a script to automatically lock my computer if | I got too far away from it, back when I was wearing a | bluetooth wristband._ | | I had a program like this back in PowerBook days. It | automatically unlocked the computer if a specified | Bluetooth signal reached a particular strength, and locked | the computer again if the signal strength fell below | another threshold. | | It worked great, when it worked. It had maybe a 70% success | rate, but that was good enough. | ComputerGuru wrote: | Windows 10 does this automatically if you pair your phone | to your Windows 10 PC via bluetooth. When you walk away, it | locks the screen. | nefitty wrote: | Unfortunately, iOS-provided location resolution for use in | shortcuts makes it worthless for in-home use. Unless you | live in a mansion though I guess. | MayeulC wrote: | You are assuming the signal is strong enough to be read | at a distance. I just used the RSSI, and going away a few | meters was enough. Moreover, since that was just a nicety | in case I forgot to lock my computer during a corridor | conversation, I could get away with a longer timeout. | | A more sophisticated implementation could be done if you | can write software on the device. A PineTime would be | perfect for this. | | I am not sure why mention iOS specifically, a phone is | easily forgettable. Moreover, you don't really need to | rely on any location API provided by the system, even if | UWB or Bluetooth Location Services would do wonders for | this, a simple RTT latency measurement or RSSI value | should be enough. | nefitty wrote: | I always carry my phone, even if moving to another room. | I assumed that a similar behavior is why you got rid of | your wristband. | MayeulC wrote: | No, I got rid of it for multiple other reasons: started | using a mechanical watch again, got rid of all | proprietary software on my phone (though I used | gadgetbridge for a while), realized anybody could just | track me as the band was broadcasting the same MAC | address everywhere. | | I also got multiple LG watch R, I'm probably going to | fiddle a bit with them when I have time, hopefully | mainlining them and porting postmarketos over. I'm open | to trying again with those. In the end, I don't really | have sensitive documents on a laptop (besides work- | related confidential stuff), so I'm not sure I'd crank | paranoia to 11. | | As for my phone, I often pull it out of my pocket and | leave it on my desk, or abandon it somewhere, charging or | powered off -- I should probably be more careful with | that, but people know to expect some latency when | contacting me. | vkou wrote: | If the feds are pinching you for computer crime in a public | space, this is exactly why they'd handcuff you, but keep | you within ~10 feet of your laptop. | Jerrrry wrote: | heartbeat monitor. | | unless they hit you with the cryo, too. | goodpoint wrote: | > Good to have if you run a dark net marketplace or a political | disident ring from public libraries. | | ...and expose the contents of the screen to any camera with a | good zoom? And the passwords you type? Not good. | | It's just an very overpriced thing that can protect you from a | thief and not the FBI. | generalizations wrote: | He's making a reference to dread pirate Roberts. This was the | threat model. | zionic wrote: | Wouldn't it make sense to remove the battery on your laptop | entirely? With a modified magsafe-like power cord any attempt | to grab the machine hard-kills the system and RAM begins | degrading immediately. Epoxy over the screw terminals would | also delay an attacker long enough to prevent freezing the RAM | with compressed air to try and dump RAM via an exploit kit. | tarboreus wrote: | I think the idea is that you might only have about a second | to kill the device. Yes, you can throw your computer in a | bathtub of saltwater or whatever but that's not really the | point. | jacquesm wrote: | You better make sure that 'tampering with evidence' carries | a lower penalty than the thing that you're trying to hide. | pmorici wrote: | Devices to transfer from wall power to battery backup for | transport have existed for a long time. | | https://wiebetech.com/products/hotplug-field-kit/ | remram wrote: | TIL. Found a demo on YouTube: | https://www.youtube.com/watch?v=erq4TO_a3z8&t=3m39s | dehrmann wrote: | Seinfeld had a "rogue electrician" named Slippery Pete who | could do this. | gruez wrote: | >Epoxy over the screw terminals would also delay an | attacker... | | Might as well go all in and epoxy the ram sticks/dimm slot | assembly. | dotancohen wrote: | Aren't they already soldered in place in modern laptops? | doubled112 wrote: | Many laptops but not all laptops. | | I've noticed many lower end have one soldered and one | removable. Drives me crazy because then you end up with | more RAM but less performance, so have to choose which | hit is worse. | gruez wrote: | >I've noticed many lower end have one soldered and one | removable | | nah, that applies to many mid to high range laptops as | well, eg. 14" thinkpads has had 1 soldered 1 removable | dimm for years now. | ClumsyPilot wrote: | Would it cause overheating? | gruez wrote: | You don't have to douse the whole thing with expoxy. The | dimm assembly looks like this: https://guide- | images.cdn.ifixit.com/igi/dpYyM4oeOLPPTdpF.hug... | | Putting epoxy around the top and bottom edges (where the | retention clips are) and the right edge (where the | contacts are) should make it extremely difficult to | dislodge, but not impact the thermal performance of the | chips (the black rectangles). | Mandatum wrote: | You freeze the whole laptop. | lmilcin wrote: | The combo solution is not good enough, especially if you are in | public. | | If you can be observed to use the combo (which you would have | to be using regularly) somebody else could be pressing the | combo or they could insert USB device that can generate the | combo regularly. | | I would also add that locking your laptop is not safe enough if | you are serious about this. There are devices that can | exfiltrate information from what I understand almost every | operating system through USB. | marcodiego wrote: | > There are devices that can exfiltrate information from what | I understand almost every operating system through USB. | | If that is true, then it is a vulnerability. You should file | bug reports. | tjader wrote: | How will you prevent a USB device to present itself as both | a keyboard and mass storage and then type commands that | copy data? | marcodiego wrote: | Keyboard and mouse plugged in after the system boots | should only become effective after user permission is | given using previously available devices. | | For more safety: any plugged usb device should lock your | screen so that a password is required before it can be | used. | sildur wrote: | With QubesOS. I just tried adding a keyboard and it | simply showed me a pop up saying a USB keyboard has been | attached. It won't work until I attach it to a qube. | goodpoint wrote: | usbguard does that without the need for Qubes. | Karliss wrote: | If the computer is locked, typing commands will not do | nothing. If computer is unlocked a person could do it | manually without USB by just sending them over internet | or storage device of choice, no fancy keyboard+mass | storage device required. | DarylZero wrote: | An OS doesn't even need to implement USB support. Of | course it can offer access controls to enable the USB | devices. | tjader wrote: | Of course not, but then you're saying USB is a security | flaw. | | My point is that given how _universal_ USB as long as a | device can do both input and output it 's going to be | very hard to stop some exfiltration from being possible. | | Do you really think a bug report should be filed on all | OS's for allowing USB drives and keyboards to be plugged | on a running system? | matheusmoreira wrote: | > you're saying USB is a security flaw | | It is. | | > Do you really think a bug report should be filed on all | OS's for allowing USB drives and keyboards to be plugged | on a running system? | | Automatically trusting input devices is as bad as | trusting user input. It's trivial to pass off a | programmable USB keyboard as a mass storage device. | DarylZero wrote: | I was saying that the existence of the non-implementation | of USB proves the possibility of access controls on USB. | | Convoluted way to put it I guess. For some reason was | intuitive to me (proof of existence by example, more | trivial example better). | | Having access controls on USB-HID is just a local policy | choice where most people would choose convenience over | security. | tjader wrote: | I agree, and it makes sense for some security oriented | OS. | | But the comment I replied to seemed to suggest that the | possibility of data exfiltration via USB is a bug in any | OS. | FpUser wrote: | Tried to find "Shit" key on my keyboard as it would save me a | lot of time. No luck. | kingcharles wrote: | Exactly. You need something not for when your laptop is removed | from _you_ , but when _you_ are removed from your laptop. | | Also, if you are being targeted this hard you need to have | something for when you are _left_ in front of your laptop and a | gun is put to your head. Or the attackers threaten the welfare | of your family. | somedude895 wrote: | > You need something not for when your laptop is removed from | you, but when you are removed from your laptop. | | Yeah, this wouldn't have saved the admin of Alphabay, a now | defunct darknet market. The FBI staged a car crash outside | his house so when he'd come out to see what was going on they | could arrest him and likely get to his laptop while it was | unlocked. Then again, he really shouldn't have left his | computer unlocked. | alias_neo wrote: | That seems like a great expense to go to for the sake of a | possibility the guy might do more than peek out of the | window and then go back to what they were doing. | | Surely there were a bunch of other options to consider | before "let's stage a car crash"? | mdrzn wrote: | > Alphabay | | Related video is all I could find about this: | https://www.youtube.com/watch?v=HXrXD1M6kXk | matheusmoreira wrote: | If someome is pointing a gun at you, it's probably too late | to do anything. There should probably be cameras and motion | detectors monitoring the perimeter in order to provide early | warning. | kingcharles wrote: | The second part is harder to defend against. I didn't | flinch when LEO pointed a loaded gun at me and threatened | to shoot me, but as soon as they threatened my wife I told | them I would sign whatever fiction they wanted to write, | which I did. It just took me close to 8 years of being in | jail to get a judge to look at it and tell them off and | throw out the document. | matheusmoreira wrote: | ... Police threatened your wife in order to make you sign | a confession? That's extremely fucked up. | kingcharles wrote: | Yes. Stupid retards did it on video though, otherwise it | wouldn't have been seen at all. This was after over an | hour of threatening me and refusing my right to silence, | not letting me speak to my lawyer, etc. | at_a_remove wrote: | I would like to know more, if you're able. | | Eight years of false imprisonment sounds like lawsuit | city, to me. | laristine wrote: | Should we be concerned that no new canary notice [1] has been | posted after the second canary [2], which promised to post the | next one in June 2021? | | [1] List of canaries: https://www.buskill.in/tag/canary/ [2] | https://www.buskill.in/canary-002/ | JeffRosenberg wrote: | > The BusKill team publishes cryptographically signed warrant | canaries on a biannual basis. | | The canary-002 says: Status: All good | Release: 2021-06-13 Period: 2021-06-01 to 2021-12-31 | Expiry: 2022-01-31 | | EDIT: Oh, the issue is just that they failed to update the | wording of: "We plan to publish the next of these canary | statements in the month of June 2021." Looks like a copy from | canary-001. | maltfield wrote: | Ah, crap, sorry about that. | | I'll try to remember to update the verbiage of that lower | line to reference the top line to prevent this from happening | again in the future. | | Thanks for pointing it out! | maltfield wrote: | Hi, Michael Altfield here (Founder of the BusKill project and | holder of the PGP Key for signing canaries) | | No, you should not be concerned. The latest canary #002 | literally says: Period: 2021-06-01 to | 2021-12-31 Expiry: 2022-01-31 | | Source: https://www.buskill.in/canary-002/ | | What matters is what's cryptographically signed. Did I make a | mistake somewhere else? | | The next canary will be posted before 2022-01-31. | liminalsunset wrote: | MacBooks used to have a key combination (left cmd shift option | and power) that could be used to kill power instantly. In the | schematics, these keyboard keys were hard wired to the SMC | microcontroller's reset line, which would remove all voltage to | the motherboard upon reset. | | With the T2, this still exists, but you need to wait more seconds | and use a 2step combination. This is a pain because you can no | longer use it to do an emergency shutdown. | salex89 wrote: | Or, maybe just add back the Kensington Security Slot and attach | the laptop to yourself/desk with a strong wire and not have your | laptop yanked in the first place. | | I understand the first part of my idea is dead in the water, we | hardly get additional ports, let alone a slot hardly anyone will | use. But I would like to see a way to retrofit a KSS on a laptop. | gruez wrote: | >Or, maybe just add back the Kensington Security Slot and | attach the laptop to yourself/desk with a strong wire and not | have your laptop yanked in the first place. | | They could still yank _you_. It would pretty hard for you to | execute the self destruct sequence after the undercover fbi | agent knocked you over from your chair. | arpa wrote: | It all boils down to whether your adversary is mossad or not | mossad [1]. | | 1. https://www.usenix.org/system/files/1401_08-12_mickens.pdf | BrazzVuvuzela wrote: | You could tether the kill cord to your belt loop. | Farbklex wrote: | Yeah I still don't get this. I hate that I can't secure a | Macbook. But pretty much every cheap laptop comes with a | kensington lock hole. | | Sure it is not _super_ secure but being able to leave my laptop | for 1 minute in a public place is nice. Instead I have to put | the macbook in my backpack and take it with me. | ssorallen wrote: | Locking your laptop to a table in a cafe doesn't seem like | something most folks would do. Working in a cafe was the use | case I imagined when I saw this. | alushta wrote: | The point is to lock your laptop when the government is coming | to bust you. This device would have kept Ross Ulbricht out of | jail. | Jerrrry wrote: | >This device would have kept Ross Ulbricht out of jail. | | This device would had made a difference in the initial | library-swipe confrontation, but would had definitely not | kept Ross out of jail by any means (even that day) | zionic wrote: | Oh he certainly would have been arrested (jail), but he | would have avoided prison (conviction). | Jerrrry wrote: | He would of avoided jail (that day, the agent would have | noticed the bump-kill-switch and averted recon) | | He would had always of went to prison, even if they | didn't get his HDD unencrypted. He used his personal | email to promote his Mycology website, had the Obama | administration to contend with, and was the first to sail | westward. | | Free Ross (The Department of Parks and Recreation) | buu700 wrote: | It would be interesting if you could combine the two ideas. | Physically secure the laptop to the table, but also lock / shut | down / wipe the drive in the event that someone cuts through | the wire. | captaincrunch wrote: | What would stop someone from crazy gluing the easy release cable, | shaving the wire back and connecting power to the usb before | removing it? | schleck8 wrote: | > Buy with Monero | | I bet they'd go crazy if someone accused them of this being | designed for illegal activities | Cthulhu_ wrote: | That's... because it isn't? How would a dead man switch be | illegal? | | I mean it may, hypothetically, be used to hide illegal | activities, but if you go that way you go down the slippery | slope and will be advocating for weakening or backdooring | encryption just in case it's used for illegal activites. | schleck8 wrote: | This is a perfect fit for darknet admins, being able to nuke | all digital evidence when arrested has been a thing for ever. | Often it works by closing the laptop. | | It might also be useful for whistleblowers, although I doubt | that there is any advantages over strong file and disk | encryption. | aaronmdjones wrote: | It doesn't seem, to me, to be designed for illegal activities | any more than, say, a car is. People commit crimes with those | every day. | ryanlol wrote: | I've just been using a wristband made out of cheap headphones | plugged into a 3.5mm jack, acpi event triggers the shutdown. | maltfield wrote: | How does that work? Can you use udev to call a script on an | acpi event? Is it cross-platform? | | Would love to see a write-up with more info on how to do this | :) | ryanlol wrote: | acpid is probably the easiest way to accomplish this | https://wiki.archlinux.org/title/acpid | swader999 wrote: | This great, just like the cord on my snowmobile! | maltfield wrote: | We reference treadmills and jetskis in the explainer video to | explain the concept of "Kill Cords" | | * https://youtu.be/S3LtLyuaBvI?t=26 | | I didn't know snowmobiles had this too! I guess it's my bias | since it never snows where I'm from :D | cultofmetatron wrote: | This would have saved the guy running the silk road from jail | goodpoint wrote: | Most likely not. | cultofmetatron wrote: | they organized it so that he was surrounded by agents. they | needed to get access to his laptop while it was open and | running. This might have gotten him just enough time to | disable it before they made their rush. | rakwoelq wrote: | Alternatively you can remove the laptop battery and use it with | just the charging cable attached to power the device. The laptop | will automatically shut off when the power cable is disconnected. | Then PAM Duress [0] can be used for the xkcd538 [1] situation. | | [0] https://news.ycombinator.com/item?id=28267975 | | [1] https://xkcd.com/538 | fluidcruft wrote: | I guess it depends on the threat model, but if the primary | concern is theft couldn't AC adapter disconnect be used for | this? | shultays wrote: | BusKill can trigger your laptop to lock, shutdown, or self- | destruct if it's physically separated from you. | | I understand lock and shutdown but self-destruct? Really? Your | laptop/data is one bump away from destroying itself? | maltfield wrote: | Hi, Michael Altfield here (founder of the BusKill project). | | As described on the crowdsupply page, the cross-platform GUI | app (as opposed to the udev rule for which BusKill was | originally designed) currently only has the "lock screen" | trigger. In the future, we'll add a "shutdown" trigger. | | While we have developed a "LUKS Header Shredder" trigger (what | we call "self-destruct" trigger -- as it renders your FDE | disk's data permanently inaccessible), we will _never_ ship | that directly with the app by default. | | There's definitely a use-case for it, but most people probably | don't want it. For those that do, we're publishing a guide on | how to use the "LUKS Header Shredder" script (tested on Ubuntu | and QubesOS) in 2 weeks. For updates, you can subscribe to the | website's RSS feed, our website's newsletter (buskill.in), or | the crowdsupply.com newsletter. | SamBam wrote: | Presumably the people who opt into the self-destruct option are | more concerned with the possibility that they might need to | self-destruct and not be able to than of possibility of false | alarms. | | If you've already planned for the possibility of self-destruct, | a laptop can be a very transient device. Maybe the only | important thing on the laptop is your bitcoin wallet key, but | you also have a physical copy stashed in a lockbox somewhere. | Maybe you're only using the laptop for its browser, and you've | memorized all the passwords you need to enter. | | Someone snatching the laptop might be doing so to grab the one | keyphrase that you logged in with. The actual device is | unimportant to you, then. | XorNot wrote: | Reminds me of a coworker who had their iPhone set to "wipe | after 10 bad pins". Took about 2 days before their 5 year old | happily typed the wrong pin 10 times and wiped it. | myself248 wrote: | Blackberry required you to enter the word "Blackberry" after | the fifth try, which would at least prevent butt-dialing from | wiping the device. Some kids might figure that out too, but | at that point I suppose you had the choice to use a condom | and decided not to... | Isthatablackgsd wrote: | Here a story. I got BB RIM 850 when I was 15ish years old, | it was my first communication pre-smartphone device. I | stupidly set up to wipe my blackberry if input incorrectly | after a few times, and I did this within minutes of first | time using it. You can imagine what happened in the next 10 | minutes... Yes, I forgot my complicated password and it got | wiped. And that rendered my brand-new RIM 850 useless. So, | I have to wait 10 days to get a new one. | dane-pgp wrote: | There should be an exponentially increasing delay for such a | system, so that the phone would make you wait hours (or days) | before letting you make your 10th guess. That would require | the 5 year old to not get bored of the useless phone, and the | owner to not find the phone (and enter the correct code) for | those days too. | | Also, it would make sense to include a simple proof-of- | intentionality system, like the old Nokia keypad unlock | feature to prevent pocket dials. The phone could prompt you | to type a displayed 4 digit code before typing your actual | PIN attempt, for example. | kayodelycaon wrote: | There is an increasing delay on iPhones. After 6 attempt it | stops accepting input for 5 minutes. It gets longer each | time after that. | dagw wrote: | My old job had wipe after 3 (or maybe it was 5) bad pins | within N minutes as the required security setting for company | phones. The thing I learnt from it is that wiping your phone | actually isn't that big a deal and if you've set it up right | you can pretty quickly be back up and running. | i_like_waiting wrote: | The stress I had on 3rd attempt just to discover it is | actually 5 attempts... Kind of helps being more conscious | about having backup of everything regularly | gfosco wrote: | I'm getting closer and closer to this reality... iphones | are basically there, with icloud backup. Have been trying | to get less attached to any OS installs, and be fast at | building up from a fresh install. Seems hard to even trust | your own desktop after a while. | tata71 wrote: | Is this convenience worth sending unencrypted backups of | your data to Apple? | | Do they allow truly offline backup and restore? | gfosco wrote: | For most people, yeah it's worth it. Afaik, yeah they do | allow fully offline backup/restore, you don't need to use | iCloud for that. | | I switched away to an Android, so this isn't something | I'm taking advantage of personally. | jsjohnst wrote: | > Is this convenience worth sending unencrypted backups | of your data to Apple? | | iCloud Backups are not "unencrypted backups" | | https://support.apple.com/en-us/HT202303 | | I do wish they would bump the backups to "end-to-end | encryption" category though, at least as an option. | MarkusWandel wrote: | There are any number of ways to do this, but one is a LUKS | encrypted file system and "self destruct" is wiping out the | LUKS header and halting. Only the backup of the LUKS header | (not with you at the time!) will restore the data. | maltfield wrote: | This is exactly what we do with the "LUKS Header Shredder" | script in BusKill. First we lock the screen. Then we use the | built-in `luksErase` command to destroy the data in the key | slots, then we overwrite the whole header area. Then hard- | shutdown. | | This script itself was actually an easter-egg in the | explainer video at 50 seconds :P | | * https://youtu.be/S3LtLyuaBvI?t=46 | | We're just finishing a very detailed write-up on the "LUKS | Header Shredder," and we'll be publishing it in ~2 weeks. You | can subscribe to our newsletter on our website (buskill.in) | or crowdsupply.com for updates :) | lmilcin wrote: | Yeah, I have that on my servers in case somebody tries to | hack them. There is a secret to logging to my machines and if | you miss it the machine self destructs in a reversible way. | Can't give more information but it is pretty easy to boot it | again. | | One thing of note here, don't put LUKS header on any kind of | flash (like SSD) or SMR HDD. | quesera wrote: | > self destructs in a reversible way | | Reversibility is not a feature of destruction, lexically- | speaking. A better description might be "locked". | | More importantly in this case: if you are able to reverse | it, you can be compelled to reverse it. This is no | different than having a secret passphrase. | dane-pgp wrote: | > if you are able to reverse it, you can be compelled to | reverse it. | | An interesting way of strengthening such a system is to | split the recovery code between multiple people in | multiple jurisdictions. Convincing them to hand over | their piece of the key could require various levels of | proof-of-free-will, ranging from "Hey, I need those | numbers on that piece of paper I gave you" (asked on a | video call, in a public park) to "I've booked a flight | and I'll meet you at the agreed place next Monday at the | standard time". | | These approaches can be combined with a protocol of "If I | use the duress phrase, then give me a fake key and then | send a message to the other members of the group / the | public / the media that I've been compromised". Of course | this sort of system assumes you are part of a wider | organisation or at least have friends you can trust to | implement all this opsec securely, without adding to your | risk profile, but for some people this will be viable. | zionic wrote: | >One thing of note here, don't put LUKS header on any kind | of flash (like SSD) or SMR HDD. | | Why not? | lmilcin wrote: | SSDs and drive-managed SMR HDDs do not immediately delete | the data. | | If the system is interrupted after data is deleted there | is a good chance you can still get it back. | | On a normal HDD you still have to wipe the data (ie. | physically overwrite it half a dozen times). But this is | not possible to execute reliably on SSD or drive-managed | SMR HDD. | megous wrote: | You can reset the SSD's internal encryption key via | hdparm, too, once you're done "deleting" luks header. It | takes somewhat longer time, but if the SSD firmware is | not completely stupid, it will be the equivalent of | deleting the LUKS header and running TRIM on the whole | device afterwards. | Anunayj wrote: | I'm guessing it is because it's harder to securely wipe | SSD/flash drives [0]. Anyway I'm no expert on these | topics. | | [0]: https://wiki.archlinux.org/title/Securely_wipe_disk# | Flash_me... | scblock wrote: | I hate everything about this website. It uses all the tropes of a | bad kickstarter campaign, and to sell you this item it preys on | fear and misunderstanding. I absolutely do not trust that this | company has my best interest at heart. It's so bad I wouldn't go | near this product for any money. | quickthrower2 wrote: | Really? It seems like "here is what it does" kind if website to | me | maltfield wrote: | Hi. I made the website. What exactly don't you trust? | Everything is open-source, including the designs to build a | BusKill cable yourself. | | * https://docs.buskill.in/buskill- | app/en/stable/hardware_dev/i... | | The website also runs fine over Tor with javascript disabled. | And I spent a lot of time modifying the theme to remove as much | third party content (eg google fonts) as I could. | | We don't expect blind trust, but we do try to be totally | transparent to earn it. | comeonseriously wrote: | Windows: Sorry, Dave, we can't shut your system down right now, | you have 3 apps keeping it from shutting down and we have 37 | updates to Edge Browser to install... Have a nice day. | matheusmoreira wrote: | Why would anyone serious about this be running Windows in the | first place? A live Linux operating system is so much better. | Tails is designed for this. | chipsa wrote: | Send a signal to a driver to bluescreen the box? | dotancohen wrote: | That's what the -9 flag is for. | BrazzVuvuzela wrote: | "A stop job is running." | maltfield wrote: | Currently the BusKill app just locks the screen when the cable | disconnects. I've never had Windows block the screen lock with | such an error. | | The way we implemented the self-destruct (currently only | available in Linux), it locks the screen before attempting to | wipe the LUKS Header. I imagine we'll do something similar in | Windows, so the worst-case would be the soft shutdown hangs but | at-least the screen is locked immediately. | | Hopefully we can force an immediate, uninterruptible, hard- | shutdown in Windows, too. | Terry_Roll wrote: | https://docs.microsoft.com/en-us/windows/win32/api/winuser/n... | | EWX_FORCEIFHUNG 0x00000010 | | Forces processes to terminate if they do not respond to the | WM_QUERYENDSESSION or WM_ENDSESSION message within the timeout | interval. For more information, see the Remarks. | | If the EWX_FORCEIFHUNG value is specified, the system forces | hung applications to close and does not display the dialog box. | jeroenhd wrote: | If forced shutdown is a priority, causing a bugcheck would | probably be your best bet. This could be part of the USB | driver for the device, or you could write a piece of software | running as admin to trigger a fail state (like killing | wininit or any other critical part of Windows). | | You'd have to watch out that you don't let the system store a | memory dump, of course, that'd be the exact opposite of what | you want. | marcodiego wrote: | This could have saved the creator of silk route. Not that I | sympathize with crime, but he was unfairly accused of crimes he | didn't committed like paying hitmen to kill enemies. Also, the | way to operation was setup to get his laptop forcefully from him | was, at the least, disrespectful. If FBI was so sure he committed | any crime, they could have legally got a search warrant. | rckt wrote: | The idea is interesting, but the current form factor seems to be | cumbersome. The cord can be easily disconnected by mistake. | | It would be nice to have a BT dongle that could react to the | distance to the owner and to being unplugged. | lalopalota wrote: | Until something interferes with the bluetooth signal. | sf_rob wrote: | It would be nice if it were a USB-C power brick + magsafe like | attachment. That could also be a lot more discrete by shifting | the hardware to the brick itself. Granted that limits you to | fewer laptops. | paulcole wrote: | Literally an FAQ on the homepage. | | > But bluetooth... | | > Using a radio-based Dead Man Switch introduces complexity, | delays, and an increased vector of attack. BusKill is a simple | hardware kill cord and is therefore more secure than any | wireless solution. | maltfield wrote: | If all you want is a BT dongle, then there's tons of | "solutions" on the market for this. See our "comparison" table | on CrowdSupply for some options: | | * https://www.crowdsupply.com/alt-shift/buskill | | When I designed BusKill, I intentionally avoided wireless | solutions. | | BusKill is designed for situations where the risk is extremely | high, and you'll find that the radio-based solutions aren't | very secure. They're faulty and have huge surface areas of | attack. | meerita wrote: | _unplugs the usb_ | | -Shutdown has been stop, would you like to keep those Chrome | Tabs? | WesolyKubeczek wrote: | Say I'm an investigative journalist, gathering information about | some bad guy embezzling all politicians that matter in a small | country and doing all kinds of criminal stuff, including murders. | | I'm careful. I'm using a laptop that has this kill switch. I only | keep my work on this laptop, it's so sensitive. | | The bad guy gets a whiff I'm digging around him. He sends armed | thugs to my lair. They enter, so I pop the kill switch. "Where is | the data?!", they ask me. "I don't know what you're talking | about!" They beat me down, then one thug says to the other: "Hey | comrade, look, maybe it's all on this laptop?" -- "Let's see". | The laptop doesn't boot. They turn to me: "Funny how this laptop | of yours doesn't even boot, why would you have a non-working | toy?" I play dumb, they train their guns on my head. "Okay, | okay," I say, "the data on this laptop has self-destructed, | you're not getting it, no one is getting it!" -- "Really?" -- | "Really!" -- "It's good, motherfucker," says the thug and double- | taps me in the head. | The-Bus wrote: | XKCD #538 ("Security") explains this succinctly. | | https://xkcd.com/538/ | goodpoint wrote: | XKCD makes the same mistake as the parent of confusing a | legal threat with a threat of bodily harm. | matheusmoreira wrote: | If they send assassins to your home because you know too much, | OPSEC no longer matters. You're as good as dead if you don't | immediately escalate to deadly force. Instead of destroying | data, the computer should be uploading and publishing as much | of it as possible so that whatever you're doing can't be | stopped no matter what happens to you. | aydwi wrote: | You joke but this might have happened already | WesolyKubeczek wrote: | This _has_ happened, it was just that no technical gizmo | would have saved the guy. I cannot imagine how. | | In case of a corrupt government, if they wanted to lock you | up, they wouldn't strictly need any evidence at all. Having a | gizmo that can potentially destroy evidence is a bonus. | Otherwise, they will throw you behind the bars for 18 years | for jaywalking. If you had a controversial businessman and | his thugs after you, destroying the evidence only means they | wouldn't have to destroy it themselves after having killed | you. | | In any case, if you're working on sensitive stuff and you | want to pretend you're writing some innocent poetry, I don't | think any kind of jamesbondian device would help you look | inconspicuous. | dane-pgp wrote: | > if you're working on sensitive stuff and you want to | pretend you're writing some innocent poetry | | For plausible deniability, you need a second account on the | machine that has all your poetry in. Then, when the thugs | (or border guards) tell you to log into your laptop, you | use the other username and password and say "Feel free to | read all this poetry. I'm particularly proud of the one | called 'My government isn't corrupt at all'." | | Also, in this scenario, you should probably store your raw | information (with the names of innocents redacted) in a | public cloud somewhere outside your jurisdiction, | encrypted, and have a time-based dead man's switch (hosted | somewhere else) which sends an email to your colleagues | containing the URL and decryption key. | new_stranger wrote: | You're confusing attacks. What you describe is very useful when | there is not threat to your being. You just want the data gone. | | However, if you are under physical threat then this is still | useful because 1) you can protect witnesses and others and 2) | you can make forwarding this information to remote sources part | of the self-destruct. | | That is, "Sorry, I no longer have the data - the laptop self- | destructed. The data and my name and location have been posted | to reddit publicly or sent to a list of contacts in six | countries" | | The point is, they want 1) you to stop and 2) to recover the | data. You can bargain for your life by setting up the actions | taken should this be activated. | maltfield wrote: | In such a scenario, you're right that if the attacker will use | physical violence against you, of course the device wouldn't | save you from bodily harm. | | But what about your sources? In this situation (if you actually | can't remember the anonymous email address of your source), | it's not your life that's being saved -- it's the identity and | the life of the whistleblower. | WesolyKubeczek wrote: | I'm pretty sure there are rules of informational hygiene for | cases like this, and they mostly grate on instincts of any | geek obsessed with having all the data neatly organized, | cross-referenced, and persisted. | | You can add any number of security layers, but you should | always presume someone might get their hands onto whatever | you're working on at the moment in cleartext and you want any | damage to be minimal. | throwawayffffas wrote: | I remember seeing something likes this as a do it yourself a | while back on hacker news. | maltfield wrote: | Yes! That was just under 2 years ago. It's the same project. | | DIY is great. The problem is that after I published that | article, everyone on Hacker News went and bought-out all the | USB-A magnetic breakways on Amazon. And they literally never | re-stocked (I found out later it was EOL from the manufacture). | | The reason I launched this crowdfunding campaign was to put | these USB-A magnetic breakaway cables back on the market so | people could build their own again (and to sell the whole kit, | to lower the barrier of entry to non-techie journalists). | | * https://buskill.in/buy | tbabej wrote: | For the Yubikey owners out there, a while back I wrote a blog | post on how to achieve a similar setup using a Yubikey [1]. All | it requires is a lanyard to attach the yubikey to. | | [1]: https://tbabej.com/Yubikey-secure-session-setup/ | captaincrunch wrote: | Anyone needing a Yubikey would be very lucky to see them just | hanging out of a computer, would just a bonus for the evil | actor to also ruin your day and pull it out. | dane-pgp wrote: | Or you could attach the Yubikey to your belt (with a clip) | and connect it to the laptop with a USB cable. Then all they | could steal is a useless laptop and a cheap cable. | tbabej wrote: | The way I've implemented this is that the yubikey is on an | extensible lanyard which is almost always around my neck. So | while an evil actor could definitely unplug it to ruin my | day, stealing it would be a tad bit more difficult :) | | In any case, the primary idea here was not to prevent | stealing the laptop, but to prevent walking away from the | laptop without locking it. | 2Gkashmiri wrote: | would have immensely helped dread pirate roberts | acoard wrote: | Dread Pirate Roberts did have a kill switch. The FBI agents | distracted him by having two pretend to be a couple fighting. | He turned his head to watch. Then the other FBI agent beside | him swiped his laptop. Theoretically he could have hit the kill | switch before turning to gawk at a lovers quarrel, but I mean, | not many have the opsec or personal discipline to do that. | amelius wrote: | Why not use an accelerometer IC? Then you don't need the cord. | | Another idea is to use voice recognition. | datameta wrote: | I like the accelerometer idea. Hardware would be more | dependable than a sequence of events that requires being able | to speak and the mic to be working. | chinathrow wrote: | That's not helping if the person is yanked from the laptop | instead of the other way round. | mmaunder wrote: | Might have protected Ross Ulbricht, but he's an edge case. Anyone | had their laptop yanked away while using it? | k1rcher wrote: | This was my immediate thought as well. Oh Ross, if only you | closed that damn laptop lid (and didn't incriminate yourself | blatantly on stack overflow) | 323 wrote: | Actually we know it wouldn't. | | The agents arresting him did in such a way that they prevented | him from touching his laptop (by creating a diversion), because | they were feared that such a protection might exist. | SamBam wrote: | > The agents arresting him did in such a way that they | prevented him from touching his laptop (by creating a | diversion), because they were feared that such a protection | might exist. | | But that's literally the scenario this physical-separation | killswitch was designed for. | | He wouldn't have had to touch his laptop to trigger this. | Quite the opposite. | 323 wrote: | You must be talking about a different device, because the | one shown on this site only triggers if you carelessly move | the laptop. | | It has no remote part, it doesn't matter how far the user | is. | | If you're thinking about attaching the trigger to your hand | with a lanyard, the agents could easily hold your hand in | place, cut the lanyard, ... | | I don't understand why people always assume the FBI is | brain-dead and could not use countermeasures against | devices such as this if they become wide spread. | SamBam wrote: | You must have missed part of the description where they | said the kill switch should be attached to the user's | body. | | If the user is attached to the switch and moves more than | 50 cm or so from their laptop, the switch is triggered. | FearlessNebula wrote: | What if he clipped it to his belt? | zionic wrote: | If done properly the agents grabbing his laptop/snatching it | away from him would have severed the power connection to the | battery-remove laptop locking it permanently. | Hamuko wrote: | > _If done properly_ | | The man was running a multi-million dollar drug marketplace | in a public library. | FearlessNebula wrote: | What was the logic behind that? So he couldn't be traced | back to his house? | 323 wrote: | There was no logic. | | A public library is even worse for that purpose, because | of security cameras and witnesses. | snypher wrote: | I thought standard practice was to run no battery, AC adapter | only mode. | Jerrrry wrote: | They will hit the outlet and bring the AC with them, without | bumping voltage. | DarylZero wrote: | What kind of equipment does one use to do this? | chipsa wrote: | It's a specialized tool, but basically the plug get | pulled out slightly (which isn't enough to disconnect | power in the US), and then the tool goes over the line | and neutral pins, which supplies power from what is | basically an UPS. After that, the entire plug can be | pulled and capped (because you've got 120V across the | exposed end of a plug now). | | Probably wouldn't work the same in Euro countries which | have other plug types. | toomanybeersies wrote: | Even easier: just pull the wall plate out, then hook up | the UPS behind it with couple of tap splices. | Jerrrry wrote: | I'm sure a power-supply-person with more knowledge can | expand, but essentially a USP brick with cabling. | | They will bridge the outlet, and take the outlet, AC | adapter, and everything connected, without the AC adapter | even reading a voltage drop. | LinuxBender wrote: | There are mentions in this thread about false positives, risk of | data loss, others. This made me think of Star Trek's use of a | self destruct phrase. Obviously their method is too slow, but you | could have a "duress" phrase and a "all clear" phrase. | | User-Defined Phrase: "Please dont kill me", activates "duress" | mode. | | - A daemon listens in the background for a phrase of your choice. | When detected, your laptop makes a sound effect that is not out | of the ordinary for others to hear, but not something you would | expect it to play when self destruct is activated. Git repos are | committed/pushed with a duress demarcation code to an alternate | branch. Your encrypted volumes are dismounted, buffers and caches | cleared, camera and microphone start sending small chunks of | audio/video to a destination of your choosing. Instructions for | playback from your cloud of choice are emailed to emergency | contacts. If you do not give the "all clear" in a user- | configurable time period, the laptop does user-defined things | like wiping encrypted volumes after giving an optional warning | sound, optionally sending eeprom codes to brick the BIOS or | replace the BIOS with a tracker and setting the screen to say | "Stolen From User-Defined String, User-Defined Phone Number" | after giving an optional warning sound. All of these actions | could be optionally spaced apart based on risk, probably defined | in a key-pair text file or json file. | | User-Defined Phrase: "Computer, disable self destruct" disables | "duress" mode. | | - Giving the all clear code disables this behavior and your | _ship_ does not self destruct. The system plays a sound to | acknowledge "all clear". Emergency contacts are emailed the all- | clear, but audio/video continue to upload for user-defined time | in the event your were forced to give the phrase. | | Perhaps newer cars could also have this feature? Are there any | existing open source projects that could be adapted/bent to | accomplish these things? | V__ wrote: | I always thought that a lock screen with two passwords would be | an interesting idea. Say the BusKill locks your system and | sends a request to a server. If you don't enter the correct | password to abort the script within a few seconds, it will run | on your server, which sends a distress mail/call to emergency | contacts, revoke all ssh keys/passwords etc. | | If however the distress password gets entered, the script still | runs, but the system unlocks into a virtual pc or another | account which is not suspicious. | hef19898 wrote: | Disclaimer: I know next to nothing about OS'es and login and | so on. | | I had an idea once, would it be possible to set up two sets | of passwords? One to properly unlock your device, and one to | trigger either encryption or scrambling of the data when | entered? | maltfield wrote: | Lookup "duress passwords" | | * https://en.wikipedia.org/wiki/Duress_code | | The feature is more relevant in (full disk) encryption | software than OSes. | MayeulC wrote: | Of course, this is a kill switch, but that's usually | detectable if the attacker is sophisticated enough. Plus, | they can always backup the disk before. | | Plausible deniability lets you pretend you do not have | incriminating data, but it's tricky to use in the first | place: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/Fre | quentlyA... | | Travelling with an empty disk seems like a more appropriate | option. Dm-verity could probably be used to check that | there has been no tampering. | ryanlol wrote: | Of course, but this won't be easy with commodity hardware. | Standard practice is to use write-blockers to prevent this | kind of tricks, but of course you can prevent write- | blockers by integrating your storage. | | I think you could get a pixel phone to do this in a useful | way. | nefitty wrote: | In software, where there's a will, there's a way. | | Darknet Diaries has a cool episode about the dark cellphone | industry: https://darknetdiaries.com/episode/105/ | gambiting wrote: | Truecrypt had this exact function - one password would | decrypt your drive sort of on one end, and start the OS | there, another password would decrypt the drive on the other | end, and start the OS installed there - so you always had | perfectly plausible deniability, since the drive taken as a | whole looked like a completely normal encrypted drive(in fact | you could accidentally destroy the hidden partition by | overwriting "empty" area while booted into the non-secret | OS). Always thought that was super cool. | Linosaurus wrote: | > perfectly plausible deniability | | The paranoid dystopian counterpart is that you cannot prove | you _don 't_ have a second partition either. Might get | awkward if someone decided to compel the second password on | less solid evidence. If you're not actually using the | feature. | arpa wrote: | this is why you should actually have "signs of life" and | something _slightly_ illegal on your plausible | deniability partition. Just enough dirt to get you into | trouble, but not too much trouble. If you're squeeky | clean, you get the rubber hose cryptography treatment. | Someone wrote: | If you want those signs of life to be convincing, it | should include all kinds of history without long gaps, | such as: | | - email, including recently received and sent emails | | - web browser history | | - system logs | | - software updates | | In practice, I think it's impossible to do that. If the | police discovers, for example, that your system logs show | your machine was off for a week, but they also just saw | you reset it, what do you tell them? | kortilla wrote: | The only problem is this is sort of obvious from a | forensics perspective. Person is using truecrypt, they boot | it up for you, and the partition is only half the size it | should be. | gambiting wrote: | No, like the other reply pointed out too - it's not | obvious. The first password unlocks the entire partition, | the hidden one is just within the "empty" area of the | drive. If you write a sufficiently large file while | running the OS you could just overwrite and destroy the | hidden partition without knowing that you did so. It's | also impossible to tell that the hidden parition is there | because encrypted data is indistinguishable from | encrypted empty area of the drive. | ASalazarMX wrote: | Since Truecrypt bailed without explanation, do you know | if Veracrypt also has this feature? | somehnguy wrote: | It does. Veracrypt is basically Truecrypt with some new | features as far as I've been able to tell. | JadeNB wrote: | Your parent seems to point out that's not how it works: | you've got access to the ful partition either way, | meaning you can accidentally overwrite the other | partition. | alias_neo wrote: | If I remember right, the hidden partitions are | indistinguishable from random data on your disk and it | was necessary to provide an offset to the first block (or | whatever) so it could be decrypted. You could easily | overwrite it accidentally because it just looks like free | space. | eloisius wrote: | Have I got a PAM module for you: | https://github.com/nuvious/pam-duress | lmilcin wrote: | The problem is, if they are serious and suspect you might | be prepared and technical savvy, they will never allow you | to operate the device. | eloisius wrote: | Yep. Pretty much all nerd solutions to physical or legal | threats are genius but also worse than useless. Here's a | $5 hammer, hit him with it until he gives us what we're | looking for, so goes the comic I saw once. | matheusmoreira wrote: | This _is_ effective against legal threats. I remember at | least one case in my country where one person was saved | by truecrypt. They even asked the FBI for help on | decrypting it. | | Hopefully civilization is not so far gone that police | will imprison, torture or kill for failing to incriminate | themselves. If it gets to the point cold-blooded torture | is on the table, you'll probably get killed anyway. | jamessb wrote: | > Here's a $5 hammer, hit him with it until he gives us | what we're looking for, so goes the comic I saw once. | | You are probably thinking of the $5 wrench in | https://xkcd.com/538/ | kortilla wrote: | That's why it needs to be destructive. You can't beat | access to something out of someone if it has been | deleted. | nkrisc wrote: | While true, they may beat you anyway just to be sure. | ASalazarMX wrote: | Big opportunity to implement a kill-switch if the | microphone recognizes your screams! | djweis wrote: | That's referred to as rubber hose cryptography. | dane-pgp wrote: | That's also why Assange (and others) developed the | Rubberhose file system[0]. | | It's based on the game theoretic idea that if your | adversary has no way of knowing how many hidden | partitions you have, then you have no way of proving to | them that you've given them all your secrets. | | As such, there is no benefit to you revealing _any_ | secrets under torture, because the torture would continue | even after you 've told them everything, therefore there | is no point to them torturing you in the first place. | | [0] https://en.wikipedia.org/wiki/Rubberhose_%28file_syst | em%29 | multjoy wrote: | A state liable to torture you may simply kill you | instead. Or torture you and kill you, even if it serves | no particular purpose. | | If you're in the business of protecting your secrets | against torture then you need to also be protecting them | against death because that is grimly inevitable. | orthecreedence wrote: | "I don't think they wanted me to say anything. It was | just their way of having a bit of fun, the swines." | ASalazarMX wrote: | "JOB OPPORTUNITY: Assassins and mercenaries required. | Must be proficient in game theory". | | In reality they will torture you until you stop | decrypting partitions, and then a bit more of special | torture, just in case. | dane-pgp wrote: | If they don't understand game theory, that just means | they will act sub-optimally. In any case, the correct | strategy for the user is still to not decrypt any | partitions, since, as you say, the sooner the user stops | decrypting, the sooner the torturers give up. | 867-5309 wrote: | how would you account for :poker face: "please don't kill me" | vs :in a stranglehold, bleeding internally from multiple stab | wounds: "PLAYS DON--" | maltfield wrote: | BusKill does not ship with destructive triggers. The current | app is limited to locking your screen. Future releases will | include soft/hard shutdown. | | We do have a "LUKS Header Shredder" trigger (which we call | self-destruct as it renders all the data on the FDE disk | useless), but we (intentionally) don't include it by default | and raise the barrier of entry because of the risk of data | loss. | | We'll be publishing a more detailed write-up on the LUKS Header | Shredder in 2 weeks. You can subscribe for updates on our | website (buskill.in) or the campaign directly (crowdsupply.com) | matheusmoreira wrote: | Does it support destroying keys in hardware tokens? Would be | nice if plugging my yubikey into a specific USB port | automatically destroyed all keys inside it. | justinjlynn wrote: | You really want such devices - i.e. Devices with duress | modes - to act normally, as much as possible when in those | modes. If they clearly destroy themselves immediately you | often place yourself in much greater danger. If anything | log them into a sandbox or honeypot that is, as much as | possible, indistinguishable from your normal environment | but is less damaging for you for them to access. | chrischen wrote: | Must have if you work in public places in SF. I can barely count | how many times I've personally or had a friend who's either had | their laptop stolen in a coffee shop or attempted. In recent | years thieves even got more brazen and just try to snatch it from | you while your hands are still on the keyboard which is perfect | for this device. You'll want to enable full disk encryption for | full security. | stevespang wrote: | Yeah, any kid can then boot it from that same USB port with | another USB with OS on it, then format it and sell it. | throwaway12232 wrote: | This is shockingly expensive and comically impractical to use. | Ensorceled wrote: | $89 doesn't seem that expensive. | | It's just as impractical as money belts, key chain alarms, | Tiles(tm) | | I mean, too impractical for me, but there is definitely a | market for it. | tiahura wrote: | How is Tile impractical? | pjerem wrote: | Well, that's something you could easily do with only software | and any USB device : | | while { if(!monitored_device.plugged) { setComputerOnFire() } | } | | It must exist somewhere. And for the magnetic gimmick, any | magnetic usb (which, btw, are actually pretty useful) cable | from amazon would do the trick. | pph wrote: | That is pretty much what Tails is doing: If you disconnect | the USB drive with the system, it will wipe the RAM and | then shut down. However the data on the USB drive isn't | modified, so if you don't trust its encryption you should | prepare for quick physical destruction and/or disposal. | maltfield wrote: | Hi pjerem, Michael Altfield here (founder of the BusKill | project). | | The problem is that there are no USB-A magnetic breakaways | available on Amazon. If there were, then I wouldn't have | launched this campaign! | | * https://buskill.in/buy | | Actually, Amazon did have USB-A magnetic breakaway | components before, but they went EOL and sold-out when I | first published my DIY article on how to build-your-own- | BusKill-cable last year. | | * https://tech.michaelaltfield.net/2020/01/02/buskill- | laptop-k... | | The reason I started making my own was a response to all | the folks that asked me how they could get a USB-A BusKill | cable since they sold-out (and they also were never | available in Europe -- now they are!). | 1_player wrote: | Indeed. If what I'm doing is so sensitive I need a dead-man | switch (i.e. the consequences of getting caught are very | high), $89 to improve my opsec is definitely worth the money. | Ensorceled wrote: | Or your threat model is high, think journalists with | protected sources. | _flux wrote: | I can grant expensive (though I don't know for how cheap I | could make such a sellable project with free worldwide | shipping, while also making profit), but what is comically | impractical about this? It's not like the default functionality | is to nuke the device from the orbit on disconnect. | | You could make one for yourself cheaper, though, if you have | the know-how. | | Though a basic face detection-based screen lock could be quite | more useful and cheaper, at the cost of increased battery | consumption. | throwaway12232 wrote: | Only the cable by itself cost $59.00. | | It's the same USB magnetic cable that you can buy in many | shops for $2. | | > but what is comically impractical about this? | | That you have to carry such contraption around and find a | place to tie it to. | | If you have to spend more than $30 for a custom device you | can detect if a laptop is being moved away from a table in | many better ways. | fluidcruft wrote: | Oh, so you could hopefully substitute a suitable USB C | cable? (Assuming they exist) | excalibur wrote: | > > but what is comically impractical about this? | | > That you have to carry such contraption around and find a | place to tie it to. | | If you're the type of person who uses a laptop lock, I | could see something like this being a welcome enhancement. | But in that case it would be most practical if it were | built into the lock itself. | _flux wrote: | Personally I have only found cables with relatively weak | magnetic power. Where does one find these strong ones, in | particular for prices like you mention? It doesn't seem to | be a well-advertised property, so it's difficult to tell if | they are actually strong ot not :/. | | The $59 price still includes worldwide shipping. | | > That you have to carry such contraption around and find a | place to tie it to. | | I mean you are already carrying a laptop, and probably a | charger with cables, so carrying a magnetic cable doesn't | seem a big stretch. You would put it to the same bag with | your other laptop-related accesories. | | It is also quite popular to wear pants with belt loops, | which would seem suitable for tying this one. Granted | dresses and skirts have these less commonly; even then | perhaps one could use a belt. For sportswear I don't have a | good suggestion. | | I notice you refer to these "better ways" yet you don't | enumerate any. At least I wouldn't consider accelerometer | and radio-based solutions proper alternatives to this | (unless using proper latency-based distance measurement, I | wonder if this truly can be implemented for less than $30). | The camera solution I proposed might be realistic one, but | it eats battery. | dotancohen wrote: | Interesting. The site implicitly references the arrest of the | Silk Road founder, using the alternative acronym "Department of | Parks and Recreation". He was arrested by having his laptop | literally yanked from under his fingertips in a public library. | Ensorceled wrote: | Having a USB kill switch in this case could (would?) have | escalated the arrest method to something more violent. | amoshi wrote: | Yep, I think so too, it wouldn't have protected him. Whoever | was in charge of the operation would've noticed and | identified this killswitch, and prepared appropriately. The | suspect would be incapacitated as a matter of priority to | prevent him from activating it. | stickfigure wrote: | Honestly, that sounds a little too "CSI". If the lanyard is | attached to a wrist, the chance that someone could be | suddenly incapacitated in such a way to avoid a jerky | movement that breaks the connection is pretty small. "Knock | them unconscious" is a TV trope. | geoduck14 wrote: | What about "pin his hands to the table" while the nerds | exfiltrate the data? | dane-pgp wrote: | Maybe there needs to be an accompanying/alternative | device which can be worn in a shoe and detects toe | movements. It would probably have to be wireless, which | would introduce false positives or false negatives, (and | part of it may need to be attached to the user's ankle, | due to size constraints), but it would at least defend | against an attacker who could physically restrain the | user. | mellavora wrote: | OMG, did you just invent Agent Smart's Shoe Phone? | https://en.wikipedia.org/wiki/Shoe_phone | reincarnate0x14 wrote: | I can definitely see policy to tase or otherwise subdue with | less than lethal means being OK'ed by authorities and | judiciaries. In principle you'd hope this was rigorously | established beforehand on per case basis but that | historically has not been held to standard long if they end | up doing it with any frequency. | | This is getting into the security question of what your | threat model is. If you're seriously expecting a nation-state | intelligence agency to be after your laptop, I'd really, | really recommend not having anything on your laptop because | unless you've got your own security team they're going to | find some way to get it and will observe you to see if you're | using something like a killswitch first. | marvin wrote: | How would a more violent arrest have solved anything? | danbruc wrote: | Instead of moving the laptop you move the user. Unless the | kill switch is connected to the user or you remove the user | too slowly and allow them to manually trigger the kill | switch, you may gain access to the laptop. | Ensorceled wrote: | The kill switch is useless if the accused is incapacitated | before they could trigger it. | | No knock raids, which are inherently violent, to "preserve | evidence" and reduce the risk to LEO happen about 20000 | times a year in the US. | [deleted] | matheusmoreira wrote: | > No knock raids, which are inherently violent | | > reduce the risk to LEO | | I remember reading news about an american who killed an | officer who entered without knocking. He was not | convicted, it was ruled self-defense. | Ensorceled wrote: | 20,000 no knock raids and, I think, two cases of officers | being killed. | dotancohen wrote: | Why? Was he a violent criminal? | Ensorceled wrote: | What does "violent criminal" have to do with it? The US | (and other jurisdictions ) use extreme, violent arrest | methods like no knock raids for all sorts of non violent | offences. | jokethrowaway wrote: | It's probably better to be beat up or tortured by a state | actor than to rot in prison for the rest of your life if they | get hands on proof of your culpability. | | Besides the USA is not Al Qaida, there is a chance they would | respect the Geneva convention: | https://ccrjustice.org/home/get-involved/tools- | resources/fac... | Ensorceled wrote: | What I'm saying is that they wouldn't get a chance to use | the kill switch because they would have focused on | "containing" the suspect before they could activate it. | datameta wrote: | In theory, I agree. But it is somewhat akin to saying - | why use strong encryption since a three letter agency can | just brute force your device. If you're in that deep, | maybe it won't help. But for the average reporter in a | hostile zone, keeping the local police from snooping on | their machine would be preferential. | Ensorceled wrote: | We actually agree completely. This thing may be useful, | and certainly something to think about if you live or | travel to places where electronic devices are often | snatched and, like you said, prevents casual snooping | since the local police WILL have to escalate to violence. | | I just don't think it's going to prevent a Silk Road | incident and could make it worse for the suspect. | SamBam wrote: | I disagree. I this this sounds a little too much like a | TV show like 24. | | The idea that you could completely immobilize someone at | a public library so rapidly and without their awareness | that they could not even move their arm 20 cm or so | during a struggle seems ludicrous to me. Particularly as | the kind of person who would buy this device would be | setting themselves up with their back to the wall to | prevent captures from behind. | | I am fairly strong and have wrestled and grappled for | over a decade, and I would not put my faith in an | operation that required me (even with another agent) to | completely immobilize even a weak person enough that I | could guarantee they could not trigger this. | | This takes a flick of a finger to trigger, or moving your | arm a small distance away from the laptop. | tata71 wrote: | > The idea that you could completely immobilize someone | at a public library so rapidly and without their | awareness that they could not even move their arm 20 cm | or so during a struggle seems ludicrous to me. | | Well, they did -- and without even touching him. | dane-pgp wrote: | They didn't "completely immobilize" him, though, as | apparently "Ulbricht stood up sharply"[0] after his | laptop was seized. However, he did make the mistake of | not sitting with his back to a wall, since the agents | "walked up behind" him. I guess we'll never know how he | would have reacted if they had instead walked up in front | of him and tried to grab his arms. | | [0] https://www.businessinsider.com/ross-ulbricht-will- | be-senten... | Ensorceled wrote: | I think you have way too much faith in the reasonableness | of law enforcement. There are 20K no-knock raids in the | US every year, a significant percentage at the wrong | address or clearly innocent people. | heavenlyblue wrote: | Why not have a bluetooth/wifi/customised proximity device | constantly connected to your laptop (and resides in your | wallet/shoes/private parts) and if you suddenly are too far away | from your laptop while it's unlocked it gets purged? | maltfield wrote: | If all you want is a bluetooth/wifi solution, then there's tons | of "solutions" on the market for this. See our "comparison" | table on CrowdSupply for some options: | | * https://www.crowdsupply.com/alt-shift/buskill | | When I designed BusKill, I intentionally avoided wireless | solutions. | | BusKill is designed for situations where the risk is extremely | high, and you'll find that the radio-based solutions aren't | very secure. They're faulty and have huge surface areas of | attack. | rightisleft wrote: | My 2010 MacBook pro acquired this feature about 3 years ago... | intrasight wrote: | https://news.ycombinator.com/item?id=21935359 | | I vaguely remember there being special hard drives with an "acid | release" tab for rapid physical destruction. The military being a | prime consumer. For laptops, I'm thinking a Thermite kill switch | would be effective. | amiga-workbench wrote: | I've seen thermite tested, its absolutely not enough to damage | disk players. | e0a74c wrote: | Some interesting experiments in this department: | https://www.youtube.com/watch?v=-bpX8YvNg6Y | mnsc wrote: | Am I the only one to think that if someone is close enough to | physically yank your computer out of your hands they are also | physically close enough to beat you with a wrench if you lock the | computer containing what they are after? | | https://xkcd.com/538/ | voidmain0001 wrote: | Same. A person I know was buying physical gold about 8 years | ago in preparation for a mega economic collapse which leaves | gold as king. However he himself said that he will lose in the | end because someone with a gun will come and take what he's | got. | jamil7 wrote: | This xkcd is exactly what came to mind when reading the "Who | benefits from BusKill" section. | karmanyaahm wrote: | Probably most of the time but maybe not when the adversery | wants to be covert. | Melkman wrote: | That's what the self destruct is for. If you are yanked from | your laptop or vice versa the laptop will crypto shred its disk | and wipe RAM. Your attackers can hit you till you die but you | will not be able to reverse it. ___________________________________________________________________ (page generated 2021-12-15 23:00 UTC)