[HN Gopher] Adding a "duress" password with PAM Duress (2021) ___________________________________________________________________ Adding a "duress" password with PAM Duress (2021) Author : marcodiego Score : 172 points Date : 2022-03-06 17:02 UTC (5 hours ago) (HTM) web link (lwn.net) (TXT) w3m dump (lwn.net) | lillesvin wrote: | This kind of reminds me of the Travel Mode of 1Password: | https://support.1password.com/travel-mode/ and I imagine it'd be | most useful in similar situations. | | Obviously the usefulness of measures like this is likely pretty | low if your dealing with tech-savvy adversaries, but if some | random border guard or police officer forces you to log into your | computer and -- I don't know, I'm not very well-versed in these | scenarios -- show your Facebook messages or your password vault, | you could use your duress password to clear cookies and other | stuff to show that you don't have a Facebook account or a | password manager ... or whatever, you get the general idea. | | Or you could use it to not change anything but simply log in and | additionally alert your work place that you're under duress and | they can cut off your access to critical systems. Provided that | you have some sort of internet access of course... | nunez wrote: | Something like this would be great for online voting. If a voter | is under duress (i.e. being watched while they vote, etc), they | can enter a specific ballot unique to them that discards the | ballot and allows them to re-vote in a safer environment. | HideousKojima wrote: | Or just completely get rid of anything internet connected or | electronic for voting and go back to pen and paper. Any claims | that online voting can be secure should be kept far away an | buried as though they were radioactive waste. | teddyh wrote: | "Wear gloves." | | -- https://xkcd.com/2030/ | | Longer explanation: | https://www.youtube.com/watch?v=w3_0x6oaDmI and | https://www.youtube.com/watch?v=LkH2r-sNjQs | farhaven wrote: | I have a feeling that "Is pam_duress.so configured in any file in | /etc/pam.d, and if so turn on a big red light" is a pretty | trivial thing to add to those "plug the person's computer in here | and have them log in to their machine to decrypt everything, | otherwise they won't go through customs/leave our dingy bunker" | solutions. | | These duress passwords seem to be for kind of contrived | scenarios, to me. Either your threat model is "someone breaks | into my hotel room and steals my laptop", in which case it's | useless, or "The $OpposingSideSecretService got me and hits me | until I give them my password" in which case it seems to be | equally useless. | vorpalhex wrote: | There are a lot more threat models than the ones you list. | | 1. A journalist who has a legal right to protect their sources | from discovery | | 2. A check on your encrypted electronic device at the border | | 3. A snooping housemate or someone else logs into your machine | | That was in <30 seconds of thought on this problem. | nyolfen wrote: | > You could even spawn a process to remove the pam_duress | module so the threat actor won't be able to see if the duress | module was available. | ptd wrote: | I think this falls squarely into daydreaming about how to | stop a home invasion territory. | nyolfen wrote: | that's pretty fun too | [deleted] | Brian_K_White wrote: | I think I first encountered the idea of essentially using | passwords as commands for a variety of custom actions in a Larry | Niven book from the 60s? Earlier? | | It must be as old as passwords, meaning as old as language, | relatively straightforward to implement in any kind of software, | yet I've never seen it actually implemented in all this time. | Closest has been the single triggered action to wipe everything | after n failures. | c0balt wrote: | Huh, my phone used to have miui, an andrdoid skin by xiaomi, | installed from the factory. It featured the ability for a | second user profile that could be either entered through the | settings or by setting up a custom unlock pattern for entering | it when unlocking the phone. | | I tought this was quite a clever feature for e.g. giving your | phone to your children with an isolated profile. | jcadam wrote: | Duress codes have been used in physical security systems (i.e., | pin pads to open doors) for a long time. | | Personally, I'm wondering why ATMs don't have this feature. | guitarbill wrote: | Because people struggle to remember even one PIN, especially | if it's needed infrequently or in a stressful situation. I'm | not being snarky here, it's happened to me. Could not | remember my one, main PIN on one particularly stressful day. | Went home, slept, and no problem the next day. | | So remembering a PIN that most people will never need to use | in a stressful situation? Unlikely to be useful for the | majority of people. | amlib wrote: | I think this could be solved by having the duress code be | as simple as entering your PIN backwards | metafunctor wrote: | Backwards is way too difficult to figure out for many | people under duress. It should be the PIN, with the last | digit entered twice. The cost of a false positive is not | that big. | kevml wrote: | Remembering this seems hard. And doing it under pressure | seems very hard. I've forgotten my own zip code at a gas | station before. | martyvis wrote: | This was patented over 35 years ago but not implemented, | and only spread as a good hoax. https://en.wikipedia.org/ | wiki/ATM_SafetyPIN_software?wprov=s... | littlecranky67 wrote: | Way easier, just have a set of 9 icons (flower, sun, etc) | shown after every pin entry. Your "true" icon will | proceed, all other icons will trigger duress and proceed. | justinpowers wrote: | This is brilliant. Can you offer any more insight or | background to this? Is there a name for this technique? | littlecranky67 wrote: | No, it is an obvious solution to anyone who wants to | solve the problem, and have never seen this in the wild | (probably because I live in a relatively safe country | where you don't have to fear to get mugged at an ATM). | | EDIT: This should be coupled with a "secret" icon that is | shown (or a specific order of the 9 icons you have to | chose from) to prevent MITM/Phishing attacks. If you | realize the icon/order is not the one you are used to, | you are being phished. | reaperducer wrote: | _Way easier, just have a set of 9 icons (flower, sun, | etc) shown after every pin entry. Your "true" icon will | proceed, all other icons will trigger duress and | proceed._ | | This is familiar. | | I had a bank that, when you set up your PIN, required you | to also pick an icon. There was a flower, and a cat, and | a dog, and some other generic pictures. | | When you put your card in the ATM and entered your PIN, | you also had to pick the right icon. | | I wonder if this was the start of a duress system the | bank was setting up. The bank ended up getting eaten by | another bank and then another bank, and the icon | selection system went away. | j4yav wrote: | How would it know if you entered it backwards if it was | 1221, for example? | TacticalCoder wrote: | Well the obvious solution if one was to use this scheme | (which I'm not saying is good or bad) would be, at PIN | creation time, to disable palindrome. | cortesoft wrote: | That eliminates all palindrome numbers as possible pins, | which is bad for security. | benatkin wrote: | Because it reduces the number of possible combinations? | Good reason to keep moving from 4 digits to at least 6 | digits. | gizmo686 wrote: | At 4 digits, with a 10 character alphabet, you are | looking at a 1% reduction in pin space. Contrast this | with the 90% reduction in pin-space you get by not using | a 5th digit. | 3np wrote: | Found the person with a palindrome pin | GekkePrutser wrote: | Still it could be very useful for those of us that can | remember it and do care. | kevml wrote: | If we had duress codes for ATM, and it's widely known, then | someone with a gun will just threaten me to not use my duress | code. I'm not going to bet my life in that scenario. | TacticalCoder wrote: | Then make it so that the duress code allows you to withdraw | $300, not $2000. | | The duress code could also mean instant warning sent to the | police. This would deter some bad guys too if it was widely | known. | willcipriano wrote: | Don't change anything about the behavior of the ATM, just | alert the police. If people are being robbed at gunpoint | don't try and be a hero over a couple grand. | gnicholas wrote: | Can you withdraw $2k from an ATM? I've never had a | personal limit above a few hundred, and it never occurred | to me to ask for a higher limit. | reaperducer wrote: | ATMs can be configured for all kinds of amounts. It's up | to the bank. | | In the mid-90's, my father's bank would let him specify a | withdrawal amount down to the cent. He could take out | $53.17, and the machine would spit out $53 in bills, and | 17 cents would roll down a chute into the coin tray. | | In the late 90's, I had a bank that allowed almost any | withdrawal amount. I know I took out $700 once for an | emergency car repair. | | I think a big reason the banks limit the amount of money | you can take out is so they don't have to refill the | machines as often. It's a cost-saving measure for them. | gnicholas wrote: | I wasn't even thinking about the ATM's limit -- all of my | bank accounts have had limits around $200-350 per day. | KennyBlanken wrote: | First off, just because they have a gun doesn't mean | they're going to risk a capital crime over under a grand in | cash. Sure, some people will, but that number is much | smaller than the number of people not even holding a real | gun. | | The duress code could do any number of things, too. Trigger | a silent alarm, for example, at the bank branch and/or | police. Show a randomized, lower available balance. Mark | the dispensed bills. | | Fact of the matter is that banks don't care; it's not | "their" money when someone steals from you at an ATM. | That's why you never see any sort of anti-robbery systems | in ATM lobbies. | | Cops don't care either. If you're lucky they write a | report. | | But...steal from the _bank_ and every cop in town will hunt | you down. | djur wrote: | It's been implemented in video games, at least! The "NARPAS | SWORD" password in Metroid comes to mind. | | The practical issue here is that a secret password to release | the hounds or whatever is only useful if someone is able to use | it at the appropriate time. It's hard to memorize a password | you don't use. The number of cases where a "release the hounds" | password is going to be usable and useful where a "log into | admin account which has a 'release the hounds' button" wouldn't | be is going to be very low. | giantg2 wrote: | The fact that you remember the one from a videogame, makes it | seem like that would be a good candidate password for this | purpose. If it's used to wipe the data (which is backed up), | then it shouldn't need to be as secure as a regular password. | In fact, it might be preferable to be less secure so that | someone trying to brute force would hit the duress password | first. | djur wrote: | If we're talking about the specific case of duress | passwords, sure. Although in that case the better defense | against brute forcing is to wipe the data after too many | failures. And at some point you might as well just put a | "self destruct" button on there and skip the need for a | password. | jbay808 wrote: | It would be really annoying if my cat could wipe my hard | drive just by walking on the keyboard when I'm in the | bathroom. | giantg2 wrote: | "the better defense against brute forcing is to wipe the | data after too many failures." | | Is it though? I thought some intelligence agencies have | the ability to bypass the tries counter. In that case, | the password would still trigger the wipe. That's not as | easy to defeat because they don't know what password to | avoid during the attempt, as opposed to knowing that | after 10 tries it will wipe. | melony wrote: | How practical is this against an adversary with hardware access? | If they can put a vampire tap on the motherboard or CPU pins, | won't the alternate code paths pursued by the CPU alert them? | Most computers have standardized bootloaders. This would only | work if the decryption key selection computation is encrypted and | homomorphic. | NavinF wrote: | That threat model is so insane that I'll just link this instead | of responding to the question: | https://scholar.harvard.edu/files/mickens/files/thisworldofo... | kingcharles wrote: | In my case, after putting a loaded gun to my head I still | wouldn't give the police my access codes, but after they | changed strategy and threatened my wife I broke immediately. | The interrogator told the judge that if he suppressed the codes | they would simply move to desoldering the chips off the board | and move them to another device. The judge accepted that, | despite objections. (and the fact that only works if the data | is not encrypted on the chips you are transplanting) | Nextgrid wrote: | > If they can put a vampire tap on the motherboard or CPU pins, | won't the alternate code paths pursued by the CPU alert them? | | I doubt this is possible in modern hardware given the bandwidth | & switching speeds they operate at. | jrockway wrote: | Probably possible. You're not going to connect up like 32 | eBay oscilloscope probes to someone's computer and get their | data, but you could build a custom RAM module that saves | interesting data. Obviously there are computing devices that | operate at the speed of modern day CPUs and memory -- modern | day CPUs and memory! | | I think that these aren't widely available because if you | want someone's data you can email them and say "hey I'm the | CEO and I need your password right now, I'm locked out of my | account!" Much easier than engineering a 4GHz logic analyzer | into a DDR4 form factor. | clement12 wrote: | mdavis6890 wrote: | The fundamental problem is that often the people who are trying | to get your data are legally entitled to it, and to use physical | force against you to get it. And god help you if there is any | appearance that you might have deleted the data they want. | | Plausible deniability may help, but only if you really can | convince them that you do not have and cannot somehow access the | data they want. | kats wrote: | What could be more "Hacker News" than a bunch of people thinking | they need a secret password in case they are held "under duress"? | Because obviously you are James Bond and to avoid being sawed in | half by the villian's laser beam you will give away this secret | password at the last moment. Nothing could be worse than if Dr. | Evil steals your _hard drive_ , oh god, not that! | dhzhzjsbevs wrote: | jart wrote: | Well pretty much everyone who works for a corporation has a | responsibility to protect confidential information. However | it's not really all that James Bond because the problem of | international travel is normally solved by having code among | other things not stored on laptops. | jrm4 wrote: | This just reminds me of all the very cool and clever things we | could be doing, but arent. I imagine a world in which your phone | is actually a general purpose computer, that can be meaningfully | backed up _by you,_ solely under your control. | | So when you're travelling somewhere heavy, you backup your whole | phone to a trusted server (I hate even saying 'cloud' here) and | wipe it (or better yet, "duressify" it, e.g. you put in grandma's | number and a little porn and thats it) and be on your merry way. | Restore your backup at your destination. | nunez wrote: | Android's profiles system is the closest thing we have to this; | if only Android's backup/restore facility were more seamless. | ben_bai wrote: | The phone is a general purpose computer, and you can run | LineageOS on it, with a custom bootloader. | | Then you basically have 3 partitions boot, system, data. | encrypting and uploading "data" can be done. It still requires | little manual work, i.e. i don't know if an app can do it. | jrm4 wrote: | Oh I get that it's theoretically possible, but could it be | "normalized?" | TheOtherHobbes wrote: | There's plenty that's crazy about the current system. But I'd | assume in your example state actors would be tracking and | possibly copying your server accesses. And perhaps your server. | (Cross border? Blocked. VPN? Blocked. On-prem? Easy to raid. | "Don't keep logs"? Actually we do. Open source encryption? One | contributor just happens to be from an intelligence agency and | added some weaknesses. And so on...) | | Security is _really hard_. For every "obvious" solution | there's always going to be a back door. For every known | backdoor there's going to be a covert back door which you're | not going to be aware of, or a honey trap which looks like a | trusted independent solution but is really state owned. | | If you want a truly secure solution you're probably going to | have to wait for some kind of bio-linked technology where your | personal data is embedded in your physical body, and forced | access either wipes it, or kills you, or perhaps both, | depending on the settings. | fennecfoxen wrote: | > There's plenty that's crazy about the current system. But | I'd assume in your example state actors would be tracking and | possibly copying your server accesses. And perhaps your | server. | | Some of us have only passing interaction with state actors, | e.g. when visiting a foreign country for a short term, or | when crossing the border into a nominally free society with | legal privacy rights ( _cough_ TSA / ICE _cough_ ). There is | thus in practice ample need for solutions not secure against | an all-seeing surveillance state. | nullwarp wrote: | A security company I contracted for has a policy when people | are traveling to certain countries that they can't bring a | company laptop or phone with them. They have to purchase a | laptop while in the country to use and log onto the systems | from there. | ohyoutravel wrote: | I'm curious because this seems worse in many ways than | purchasing in your home country and carrying across. I | understand you go through the airport with a fresh laptop and | that gives the opportunity for the airport security agents to | mess with it, but in all recent travels when I've done this | the only time I haven't seen the laptop directly is when it's | in the X-ray machine for 30 secs. Seems like purchasing in | visiting country would be less secure. Can you elaborate? | kmeisthax wrote: | Carrying devices across a border gives the Nation State | Actors both physical access to your machine _and_ a legal | basis to mess with it - either by searching the device for | secrets or by installing malware onto it. Some countries | are better at this than others. I wouldn 't bother doing | this if I was just going from, say, the US to Canada[0]. | However, China is notorious for messing with any Android[1] | phones that cross their borders. Depending on what | countries your company trades with, this policy might make | sense. | | In contrast, bulk shipments of imported devices are not | usually tampered with in the same way[2]. Some countries do | have similar restrictions on data import, but they can't | mess with or spy on that data because you actually have | end-to-end encryption in that case. | | [0] I _have_ heard reports of immigration officers | demanding device passwords in such a case, but it 's rare. | If you're _really_ paranoid, enough to want to do this when | crossing US borders, I should point out that you should | never live within 100 miles of them. Anything 100 miles or | closer to a US border gives the US government power to | demand your papers; furthermore, the people in border | control treat this as a blank check to search for anything | they want. | | https://www.aclu.org/other/constitution-100-mile-border- | zone | | [1] I have yet to hear reports of iPhone users getting | their phones searched. | | [2] Yes I know "Tailored Access Operations" exist, but this | usually involves shipping intercepts, not someone buying a | device in a store. | jon-wood wrote: | I haven't travelled to China since before Covid was a | thing, but when I went previously border control weren't | at all interested in our phones, and more or less waved | us into the country once they'd checked our visas. To say | they mess with any Android phone crossing the border is | either massive hyperbole, or they're doing it remotely as | you run them through X-ray scanners. | raincom wrote: | If CBP gets suspicious, they will ask for the device | password to gather evidence from one's phone to deport | back. This happened to a couple of people I know of. | londons_explore wrote: | I assume the "and log in from there" consists of a very | limited login that only allows access to videocalls and a | few other basics to allow work to get done... Not the whole | document repository of the whole company. | jrm4 wrote: | If you presume encryption (SSL et al) in its present state | generally works, this strikes me as _obviously_ superior? I | genuinely don 't understand the argument? You carry your | password in your head, buy the new machine, phone home, and | you're good? Ditch the machine on the way home if it's that | serious. | kevin_thibedeau wrote: | If you're an espionage target they'll arrange more than 30 | seconds of alone time for your laptop. Either overtly at | customs/security or discretely when you're away from the | machine. | Nextgrid wrote: | Purchasing within the country is more secure unless you | assume all devices sold within the country are compromised | and monitored in real-time which seems unfeasible. | | Of course for this to be effective you should just purchase | it in-person in a mall or something, and ideally don't | provide any identifying information so they can't | "customize" the device just for you, otherwise all bets are | off and at that point it indeed becomes more secure to just | bring your own and not let it out of your sight. | [deleted] | [deleted] | elliekelly wrote: | A while back a woman in Boston was abducted at random, forced | at knifepoint to withdraw money at an ATM, and then brutally | murdered before anyone even knew she was missing. In response | the state proposed requiring ATM security features like a panic | button, active monitoring of the surveillance cameras, or some | sort of alarm system. Of course the banks pushed back because | of the long-term implementation costs and also because of the | supposedly risk false alarms. | | But one of the ideas that I thought sounded like a good | compromise was a duress PIN. The idea being that a customer | could opt to set a PIN that would work exactly like their | normal/"real" PIN (dispense funds, etc.) except it would | silently alert police. It didn't happen, in the end. Partially | because the banks were strongly opposed to the "overreach" and | partially because the public outrage about the abduction died | down before anything meaningful could happen in response. | | It was a neat idea, though. | bombcar wrote: | As mentioned in the article itself these cutesy things are | inadequate for their intended use case. | | Could still be made useful in some cases perhaps as part of a | larger "defense in depth" scenario, but if you're actually afraid | of rubber hose cryptography you should utilize methods that | directly work against that (which may result in your death). | dvtrn wrote: | "Could still be made useful in some cases perhaps as part of a | larger "defense in depth" scenario" | | Completely spitballing here just exploring the thought: | | Like using duress pam to _only_ allow logins if a duress pw or | authorized_key is used? Port knocking | (https://en.wikipedia.org/wiki/Port_knocking) comes to mind as | a simile. Could that even be done? | marcodiego wrote: | Hmmm... Can't pam_duress be used to fix https://xkcd.com/538/ ? | mholt wrote: | No, because if the adversary is convinced you used a duress | password, they'll just keep hitting you with a hammer. | Brian_K_White wrote: | There are levels of interest and risk etc. | | They aren't murdering everyone whos phone / laptop they | check at a border. It would be perfectly fine to have an | encrypted disk drive that presented different contents | based on what password was used to unlock for instance. | | And with something fully arbitrarily scriptable like this, | it doesn't have to simply wipe stuff, it can do practically | anything. It could fake having a dead battery, or suffering | some kind of crash or other normal annoying service | interruption. It could fake a Microsoft account login | problem due to some problem with the wifi or borked | corporate account control etc. You could increase the | believability by pretending to have very common bad | security habits like having the duress password written | down somewhere on your person or with the machine. | | If you are a spy and they have you in a hole, then your | cover is already blown. They will remove and dissect the | storage without even trying to boot it. But things like | this could keep you from being noticed in the first place, | and could sufficiently handle the vast majority of | situations. | | In Russia right now, they are stopping random people on the | street to look for certain telegram groups on people's | phones. The randos aren't spies and aren't specifically | targeted. The police are really only doing it to scare | everyone else away from accepting any communication about | Ukraine from outsiders. | | It would be exactly perfectly good enough if they simply | didn't see what they were looking for. | [deleted] | emptyparadise wrote: | That won't help them if the duress password is used to | erase secrets in a way that would prevent even you from | unlocking the drive again. | 41b696ef1113 wrote: | Step one for any kind of serious data extraction project | would be to make a bit-for-bit duplicate of the origin. | emptyparadise wrote: | Thankfully a lot of data extraction projects serious | enough to beat somebody with a hammer are not serious | enough to tamper with TPM. | Skunkleton wrote: | The downside is they will keep hitting you with that | hammer :( | emptyparadise wrote: | Unfortunately they'd most likely do that even if you | could give them the keys :( | boring_twenties wrote: | That's worthless, they will copy the drive before trying | anything. | emptyparadise wrote: | What if you don't store the keys on the drive? | [deleted] | munchler wrote: | That scenario only works out in your favor if you prefer | severe injury or death over disclosing the secret. | emptyparadise wrote: | I'm sure that it adds a certain zen aspect to | interrogation technique resistance. | bombcar wrote: | If they don't really care, they're not going to look hard and | so most anything would work (hide it in a folder or etc). | | If they are using the pipe, then anything that isn't what | they're looking for will result in the pipe. | praptak wrote: | Determined attacker will have your disk physically copied | before attempting anything, so "delete all my files" won't | work. | | For such scenarios plausible deniability is what you want. | Ideally, you need a whole parallel system which plausibly | _appears_ to attackers as if it is legitimately authorized | /decrypted. StegFS is an example building block for such | systems. | | If they know you work on breeding war rabbits, you better | have some fake files with records of failed attempts to breed | war rabbits and your real files hidden in deeper layers. | labcomputer wrote: | Right, but that's sort of the reason some OSes like MacOS | use a hardware security module to store the key used for | encrypting the disk contents. Your adversary can make as | many copies of the disk as they want, but they need the HSM | (which is, by design, hard to clone) to read the plaintext. | | An HSM can even enforce policies like rate limiting brute | force attempts and/or erasing itself after too many | attempts. It could even support a duress password which | immediately erases the keys. | | Without the ability to clone the HSM, the attacker doesn't | get a "second chance" if they attempt to use the duress | password. | Retric wrote: | Determined attacker might be a mugger trying to get your | ATM pin. | | Assuming they will always have access to the underlying | system being protected is missing out on a huge range of | security issues. | bombcar wrote: | ATM is an example where it might match the threat level - | a pin that reveals an account with $450 or so in it | instead of the real accounts. | tomatotomato37 wrote: | I feel a whole parallel system is very risky due to the | large service area you have to emulate; screwing something | up like Last Modified dates or system updates may reveal | you never used that system since 2012. I would rather hide | anything risky in an area where high-entropy binary blobs | wouldn't appear unusual; the output folder of a hobby data | compresser project wouldn't be a bad choice. | emptyparadise wrote: | This xkcd comic single-handedly set security threat modeling | back by decades. | TacticalCoder wrote: | Yup, honestly it's pathetic and getting on my nerves every | single time it's posted. | deknos wrote: | i wish the luks guys would also do this, but they denied the | request back then. ___________________________________________________________________ (page generated 2022-03-06 23:00 UTC)