Software "dead man switch"

Recondite49 · 23-08-2014 2:02pm #1

I've just been reading this excellent young man's page on a software equivalent of a "dead man's switch".

In essence he's set up a simple script using 'cron' which unless reset once every 30 days it'll delete the porn, send an e-mail or do whatever activity you like from within the command line.

I've been playing around with his script and have been trying to take it a step further to allow you to protect encrypted devices offline such as your laptop or USB sticks.

Coercion techniques such as key disclosure laws under which people can be jailed for refusing to reveal their password and rubber hose cryptography have forced security experts to think of new ways to protect their personal data as you all know.

Two popular techniques involve the use of hidden volumes (although the viability of this is in some doubt, particularly in the case of Truecrypt), and more recently a "kill switch" such as Kali Linux's "nuke option" whereby you have a password which will purge your encryption keys. While this is admirable in theory, it's only really any use if your adversary doesn't make a copy of your drive and then tries to enter this "nuke" password into the device immediately.

It seems to me that the only way to make sure that you cannot be forced to surrender a key is if you do not know it in the first place.

In short this is a reworking of the idea suggested in the "Dead Man Switch" above, whereby you store your password in an encrypted document on a server, which will be shredded if you do not reset a script, say once every 24 hours.

Of course if your drive or your laptop is encrypted this begs the question how you can log into your server and retrieve the password. Fortunately this is where your Android phone comes in handy, thanks to a little app called Juice SSH, it's possible to connect to your server and retrieve the password.

So in summary, this is what I'm proposing to do :

- Set up a Virtual Private Server in a remote location e.g China.
- Use gpg to create a text file containing the password to unlock your computer/drive (a long string of say 40+ random characters which you cannot possibly remember). The text file in turn will be encrypted using AES 256 with a password of your choosing.
- Use the cron function in conjunction with a script to say that unless reset every X hours, this text file will be deleted using the 'shred' command.

To retrieve the password all that needs to be done is to log into your server over SSH from your mobile phone and use gpg to retrieve the password.

Naturally this wouldn't protect you from evil maid attacks, such as hardware or software keyloggers, but it would allow you to state openly that you cannot provide the password for your drive which could be useful from a practical/legal perspective.

A few disadvantages I can see of this approach:

- You need to have your phone with you at all times with a working internet connection. Given the ubiquity of mobile phones and how innocuous they are, this shouldn't be too much of a problem however.

- Unless you take extra precautions it may be possible even over SSH to see the plain text password being sent to your phone by the server. There are some security flaws in Android. This can be mitigated slightly by using Cynaogen Mod or SE Android, although

- If your server is in a jurisdiction which takes backups of data or can be coerced into handing over their records, it may be possible to retrieve a copy of the encrypted text file, and so you may still be coerced into providing the password for that.

- The encryption of your main drive will still only be as good as the password on it, so you'd need to choose an extremely long one to make brute force cracking unviable.

- The Dead Man's Switch is exactly that ; if for any reason you're prevented from
resetting the timer e.g you've to go to hospital for an operation, then your data will be irretrievable.

I am going to set this up over the weekend by way of an experiment but would be grateful for any constructive criticism or suggestions.

N.B We are going to assume for the purposes of this discussion that we have data that is worth going to these lengths to protect. The "I have nothing to hide" notion crops up on here every week - please not on this thread, thanks. R.

Rucking_Fetard · 26-08-2014 7:36pm

How'd it go?

Recondite49 · 26-08-2014 8:52pm

Rucking_Fetard wrote: »

How'd it go?

Hi RF,

Well I've signed up for a VPS service with the good people at R0ute who are based in Iran. I think they can be relied upon for their discretion as far as Western law enforcement goes!

I've also decided to have an Android phone dedicated to accessing the VPS. I think part of the beauty of this system is that you could reset the Dead Man's switch from any phone or computer in the world but for extra peace of mind I think it's best to make sure that a casual scan of your telephone records won't show you connecting to an obscure IP at the same time you're on Facebook.

Currently the drive being encrypted is a 1TB WD External Drive which contains my entire collection of Boston Legal. The password is 45 characters.

It's proven fairly easy after a few goes to display the password on the phone, it takes only around three minutes to boot up the machine in total.

At the moment I am pondering a failsafe for the Dead Man's switch. It would be possible to e-mail a copy of the document to a friend before it's shredded, asking that they try to call you, and if they can't reach you, simply to ignore it.

This gives you peace of mind for recovering your data but rather defeats the point of the Dead Man's Switch.

Would be very interested to hear your thoughts on this. It may sound needlessly elaborate, but I honestly can't think of another way to make sure your data's safe.

syklops · 26-08-2014 9:07pm

Well I've signed up for a VPS service with the good people at R0ute who are based in Iran. I think they can be relied upon for their discretion as far as Western law enforcement goes!

Or GCHQ will red flag you. How much is it?

Did you look at Cyberbunker?

Recondite49 · 27-08-2014 10:09am

syklops wrote: »

Or GCHQ will red flag you. How much is it?

Did you look at Cyberbunker?

Hi Skylops,

I paid a $12 setup fee and after that the price varies depending on how much you want to pay in Advance. I'm currently paying $22 in order to try it out just for a month but naturally it'd make more sense to save money by buying for a year at a time.

I agree connecting to an Iranian IP address is less than ideal but it's important to bear in mind that this is over a separate phone, which has a PAYG chip inside it. I buy SIM cards in bulk from eBay and top up with cash - it's by no means anonymous of course but I live in a compacted block of apartments so hopefully it won't be traced to mine specifically.

I was very impressed by Cyberbunker, many thanks for pointing this out. I'd be interested in your thoughts on this ; the Netherlands traditionally have good privacy laws, I even store my seedbox there(!)

Do you think that if a SWAT team descended on the bunker as mentioned in the FAQ that they would really be able to lock the place down and destroy all the servers in time? I think it's feasible but of course their entire business would go tits up overnight.

Again I'm really pleased that you and others are looking at this thread because as we all know, Schneier's Law dictates that any fool can build a security system they can't circumvent themselves ; it requires the scrutiny of others!

syklops · 28-08-2014 12:20am

I agree connecting to an Iranian IP address is less than ideal but it's important to bear in mind that this is over a separate phone, which has a PAYG chip inside it. I buy SIM cards in bulk from eBay and top up with cash - it's by no means anonymous of course but I live in a compacted block of apartments so hopefully it won't be traced to mine specifically.

This is the weak point in your plan.

IMO, you'd be far better off with using traditional internet,service providers, and chaining requests via SSH tunnels and/or Tor.
With one android phone, we mean one phone provider, so one warrant and your data is gone/exposed. With four ISPs the cops have four warrants, so in some jurisdictions we mean weeks before all warrants are issued,.

At this point I suggest you move this project to another site, not boards.ie, where anonymity is, if not available, at least considered important.

Rucking_Fetard · 28-08-2014 12:27am

Recondite49 wrote: »

I agree connecting to an Iranian IP address is less than ideal but it's important to bear in mind that this is over a separate phone, which has a PAYG chip inside it. I buy SIM cards in bulk from eBay and top up with cash - it's by no means anonymous of course but I live in a compacted block of apartments so hopefully it won't be traced to mine specifically.

Where do you get them delivered to?

Recondite49 · 28-08-2014 12:32am

syklops wrote: »

This is the weak point in your plan.

IMO, you'd be far better off with using traditional internet,service providers, and chaining requests via SSH tunnels and/or Tor.
With one android phone, we mean one phone provider, so one warrant and your data is gone/exposed. With four ISPs the cops have four warrants, so in some jurisdictions we mean weeks before all warrants are issued,.

At this point I suggest you move this project to another site, not boards.ie, where anonymity is, if not available, at least considered important.

Syklops,

Thank you so much for your thoughts. I was mulling this over earlier today. The phone I am testing this out on is rooted and runs Orbot so it's possible to use this but I think you're right about daisy chaining servers, so no traces are left of your login details on the device.

Of course one other possibility would be to forget the phone altogether and just boot your computer into a live OS (TAILS would be ideal), and reset the counter from there, the downside being you'd have to keep a DVD or USB key on you at all times and have access to a computer, might be a bit of a downer if you're out and about.

I think you're right about going somewhere more security inclined with this, perhaps the Wilders Security forums, what do you think?

Recondite49 · 28-08-2014 12:40am

Rucking_Fetard wrote: »

Where do you get them delivered to?

An excellent question RF, I've an address with Parcel Motel. I realise that it's less than ideal but since the alternative is either to appear on CCTV paying for one in store over here or using a telephone line linked to my bank account, I feel it's the lesser of several evils.

It's by no means foolproof of course, I dispose of the chips once a month but still have to drop into various newsagents to buy vouchers , I try to use the ones without security cameras but as you can imagine there aren't too many of these.

That said if you're running a Tor relay from your phone while using it, your phone company are going to have one hell of a job working out if you connected this server or that.

All the same if you've any suggestions on how to connect anonymously, I would be very grateful to hear your ideas as I am only a lowly Tech Support Advisor.

syklops · 28-08-2014 11:18pm

Recondite49 wrote: »

An excellent question RF, I've an address with Parcel Motel.

Again, one warrant. And PM is linked to your credit or debit card.

Book a hotel for a few months in the future, get your stuff delivered there, cancel the booking, take the 20 euro hit, go in and say stuff was being delivered there for your boss and can you pick it up. Show your fake ID.

Its not perfect, but while Parcel motel can only relinquish your details via warrant, I bet good money that if I ring them from Dublin and tell them Im a guard investigating an accusation of child abuse, I could get your details in minutes

Edit:

Im not critical of your project and I dont want to be the negative one, but a pet hate of mine is what I call Masterpiece Security Theatre. Which is security measures that look like they are securing you and actually are meaningless.

Im tired, hungry and grumpy, so sorry if I sound it. I want your project to succeed.

Recondite49 · 29-08-2014 12:06am

syklops wrote: »

Again, one warrant. And PM is linked to your credit or debit card.

Book a hotel for a few months in the future, get your stuff delivered there, cancel the booking, take the 20 euro hit, go in and say stuff was being delivered there for your boss and can you pick it up. Show your fake ID.

Its not perfect, but while Parcel motel can only relinquish your details via warrant, I bet good money that if I ring them from Dublin and tell them Im a guard investigating an accusation of child abuse, I could get your details in minutes

Edit:

Im not critical of your project and I dont want to be the negative one, but a pet hate of mine is what I call Masterpiece Security Theatre. Which is security measures that look like they are securing you and actually are meaningless.

Im tired, hungry and grumpy, so sorry if I sound it. I want your project to succeed.

Hi Syklops,

Not at all, I'd be grateful if you could share your thoughts on this ; as I mentioned before I just work in Tech Support whereas you've had hands on experience with Information Security.

When it comes to the security of connecting over 3G, this was a topic I remember that raged back and forth on the Silk Road forums back in the day.

Firstly, as far as it applies to my Dead Man's Switch, having a dedicated Android Phone is by no means a necessity. It's convenient, and a nice flourish but won't improve the overall security of the system ; in fact you're far safer booting into a live OS as we said and resetting your kill switch from there.

This said, there are only so many methods of getting online and the others involve either making use of public WIfi which makes me panic or using a fixed line in your own name.

I like the way you think in that for a security system like this to work, you need to assume you're under active surveillance at all times. What I do know is that in practice it's a lot easier for the Police in the UK at least to snoop on your telephone records than it is for them to get a warrant to open your Mail.

Not only that but when my package of SIM cards comes through (I buy them 25-30 at a time), they'll need to intercept it, steam open the envelope, catalogue each and every one, then have the mobile provider continually collect traffic data for any and all of these.

Even in this rather Orwellian but plausible scenario where they'd have to go to considerable trouble, I would be no worse off than someone using their home DSL to connect to the net, which of course would be registered in their own name.

If you then also decide to install Orbot on the phone and decide to run an internal Tor relay, the task of the Police becomes many magnitudes of order greater, as they need to pick up your traffic specifically - in this case of course it would be logging into a server in a jurisdiction which will not share data with Western Law enforcement too.

I think your idea for the hotel booking is an excellent one, I've worked in a few and we'd often hold mail for guests. The last time I needed to have mail sent to me I was still a University student, I went to stay at a homeless shelter for a few days ; an excellent excuse for not having photo ID - I made sure to give a donation afterwards!

My real worry in the case of a phone is that it could be seized and remnants of your logins over SSH could be recovered by someone in the know. Seems like a cheap burner phone would also be the answer, that way you could also escape being tracked through your IMEI too.

matrim · 31-08-2014 9:57am

Recondite49 wrote: »

An excellent question RF, I've an address with Parcel Motel. I realise that it's less than ideal but since the alternative is either to appear on CCTV paying for one in store over here or using a telephone line linked to my bank account, I feel it's the lesser of several evils.

It's by no means foolproof of course, I dispose of the chips once a month but still have to drop into various newsagents to buy vouchers , I try to use the ones without security cameras but as you can imagine there aren't too many of these.

That said if you're running a Tor relay from your phone while using it, your phone company are going to have one hell of a job working out if you connected this server or that.

All the same if you've any suggestions on how to connect anonymously, I would be very grateful to hear your ideas as I am only a lowly Tech Support Advisor.

Surely buying online will leave more of a paper trail and make it easier to trace

* The company you buy off may have a database with the list of IMSI that you got and that is linked to your name
* ParcelMotel may have a database with the shipping details and your details
* Your CC linked with both of the above

If you go into a shop and pay cash, you might be on CCTV but that CCTV is likely to be overwritten every day or week, especially if you go into one of the smaller non-official phone stores. I've even bought a sim from a street trader on henry st (athough that was a few years ago), which would have no CCTV and no paper record

For the software dead man switch, surely all someone has to do it plug out your computer and clone the drive to get any (presumably encrypted) information from it before the switch has time to activate.

Recondite49 · 31-08-2014 12:50pm

matrim wrote: »

Surely buying online will leave more of a paper trail and make it easier to trace

* The company you buy off may have a database with the list of IMSI that you got and that is linked to your name
* ParcelMotel may have a database with the shipping details and your details
* Your CC linked with both of the above

If you go into a shop and pay cash, you might be on CCTV but that CCTV is likely to be overwritten every day or week, especially if you go into one of the smaller non-official phone stores. I've even bought a sim from a street trader on henry st (athough that was a few years ago), which would have no CCTV and no paper record

For the software dead man switch, surely all someone has to do it plug out your computer and clone the drive to get any (presumably encrypted) information from it before the switch has time to activate.

Hi matrim,

Thanks for your post.

As I mentioned previously, I buy SIM cards in bulk from various eBay sellers.

Also as I mentioned, simply recording the fact that I purchased a load of SIMS on eBay is not enough for surveillance. As you said yourself, each and every seller from whom I buy would have to document the IMSI of the SIM and then law enforcement would then have to not only obtain a warrant for this information but also from the mobile subscriber to analyse data sent over 3G in the hope that this information is still available.

Even after law enforcement has gone to these lengths, you're really no worse off than if they'd obtained a warrant to snoop on your home internet connection which is considerably easier.

I agree it would be better to buy them in the street but sadly there don't seem to be any of those here in Cork, I'll keep an eye out. In the past I have also gone into a store to buy a sim card and top up with cash in one go but I was asked to write down my name, address and date of birth. I was able to improvise this but I didn't like appearing both on security cameras and leaving my handwriting too. This also wasn't nearly as cost effective as buying 25 or 30 cards in one go!

As for the Dead Man's Switch, I'm sorry if I didn't make it clear in my first post. The (encrypted) key to unlock your drive is stored on a Virtual Private Server, hosted in a jurisdiction which doesn't have a good history of cooperation with western law enforcement (currently I'm using one in Iran).

I used the TAILS operating system to connect to the Tor network over 3G, create an e-mail address, and then requested a pro rata invoice from the provider so that I could pay for six month's subscription in Bitcoins yesterday morning, am still waiting back to hear from them but as I've already a 1 month subscription with them on a separate account while I have a play around with various scripts there's no rush.

In theory, as I mentioned in my very first post, if an adversary were to gain access to the server or the providers backups and clone the HDD before the switch was activated they would then have a copy of the keyfile - but I find it hard to believe the Iranian authorities would cooperate with such a request and given that the server has been paid for anonymously, they'd have a job finding mine to begin with.

A part of the switch I have been playing around with, also sends out an e-mail via gmail to my own address, explain what has happened and what I've done. Naturally this would only have been sent out once the key has been securely shredded. This is important as it would make it clear that using coercion to obtain the key is a moot point, however I'm trying to find a way to make sure that the e-mail can't be traced to my server once it's sent.

I'm currently tweaking the script and will be happy to show you all what I've come up with at the end of month when everything is just so. Many thanks for the points you've raised in the meantime and do let me know if you have any other questions.

sff · 20-10-2014 10:25am

matrim wrote: »

* ParcelMotel may have a database with the shipping details and your details

might be a stupid question, but you didn't use your actual name or address? you can get prepaid credit cards.

this thread is completely over my head but I'd be interested to know if it works.

Recondite49 · 20-10-2014 11:24am

sff wrote: »

might be a stupid question, but you didn't use your actual name or address? you can get prepaid credit cards.

this thread is completely over my head but I'd be interested to know if it works.

Hi sff,

Firstly, yes I have managed to set this up - as you can see from the first post, the idea is very easy to understand. Simply a password that destroys itself unless you flip a switch every 24 hours (or 48 in my case!).

Second, I do use my real name and address with Parcel Motel but perhaps you're right it's better to use a prepaid credit card. So far I haven't seen any that don't require some form of ID or proof of address themselves though.

We've discussed before a few methods by which you can have items mailed to you anonymously - if I felt that cut up about it though I'd simply buy the SIM chips I needed in person ; it isn't so important that the powers that be don't know I've bought them so much as they don't know what specific ones I bought.

It's interesting though that this came up as a topic in the thread as of course it might be a way to detect where the server for the dead man switch is located.

sff · 20-10-2014 2:13pm

Yep, I'm only recently getting interested in my online privacy since the facebook app. I never really thought about it before.

Especially with the whole government online spying programs that have surfaced over the last few years.

I'm not sure I'll ever have a need for it but to be clear, you'd access the key every time you needed the data?

Recondite49 wrote: »

Second, I do use my real name and address with Parcel Motel but perhaps you're right it's better to use a prepaid credit card. So far I haven't seen any that don't require some form of ID or proof of address themselves though.

I think that the 3V (online only) and the swirl/o2 money card might be a couple of options. I might try taking them out and post back about my findings.

Although, thinking about it, it would be a logistical nightmare if you buy 20-30 at a time. Even if they kept a database of imsi's they'd still need to know you have a parcel motel account, find the deliveries to the account. Or maybe find your ebay account and trace the deliveries to your P.M. box. Then they'd still need to trace the traffic going to/from the correct number (requiring I'm assuming 25-30 warrants). All so miramax can give you a fine? Probably not.

Recondite49 wrote: »

it would allow you to state openly that you cannot provide the password for your drive which could be useful from a practical/legal perspective.

The one query about this I would have is that you'd have to not provide it for a day. You have the knowledge that at this point it becomes irretrievable so would this not be the same (legally) as refusing to provide a password at all? i.e. could you not set it as something very simple and just say that you'd done all this? Even do this and have that code saved in Iran be a second killswitch and when it locks your data tell them they entered a digit incorrectly but you had co-operated fully?

Recondite49 · 20-10-2014 3:48pm

sff wrote: »

Yep, I'm only recently getting interested in my online privacy since the facebook app. I never really thought about it before.

Especially with the whole government online spying programs that have surfaced over the last few years.

I'm not sure I'll ever have a need for it but to be clear, you'd access the key every time you needed the data?

I think that the 3V (online only) and the swirl/o2 money card might be a couple of options. I might try taking them out and post back about my findings.

Although, thinking about it, it would be a logistical nightmare if you buy 20-30 at a time. Even if they kept a database of imsi's they'd still need to know you have a parcel motel account, find the deliveries to the account. Or maybe find your ebay account and trace the deliveries to your P.M. box. Then they'd still need to trace the traffic going to/from the correct number (requiring I'm assuming 25-30 warrants). All so miramax can give you a fine? Probably not.

The one query about this I would have is that you'd have to not provide it for a day. You have the knowledge that at this point it becomes irretrievable so would this not be the same (legally) as refusing to provide a password at all? i.e. could you not set it as something very simple and just say that you'd done all this? Even do this and have that code saved in Iran be a second killswitch and when it locks your data tell them they entered a digit incorrectly but you had co-operated fully?

Hi sff,

Well you've certainly come to the right place if you're interested in privacy, some really good threads on here!

My understanding of 3VV is that you initially send in an application form and provide ID, in exchange for which you're sent a plastic card. The vouchers you then buy in store for cash are then used in conjunction with this card to make your purchases online.

I agree it would be much better to have a system where you can just buy a prepay credit card for cash but life is seldom fair!

You're right about it being a logistical nightmare. Many security gurus assume the government are willing to spend unlimited time and resources on surveillance when we know this isn't possible - also don't forget in the worst case scenario, they wouldn't know anything more than those people who use their home internet connection!

The SIM chips I use are put into a dedicated Android phone running Orbot i.e all traffic is routed through the Tor network. It also operates as a Tor relay meaning it channels traffic through - even if someone were snooping on the connection it would be near impossible to distinguish only your traffic under these circumstances provided you use Tor hidden services i.e visit sites that use the .onion extension.

Key disclosure laws in the UK are governed by RIPA which requires a person to provide any keys in their possession or otherwise decrypt the data.

In my own case as we're living in Ireland, the law is a lot less clear but I do keep a DVD amongst my papers which is a video I recorded explaining what I have done, how the kill switch works and that most likely by the time that they have watched it, the password has been erased.

It seems likely to me that if you were arrested during the deadline, rather than compel you to hand over a password you don't know, they would ask you to provide details of the server where it is stored. (It's unclear legally if a key lodging on a rented server would be seen to be in your "posession").

If you refuse to provide details then you could technically be charged. Of course there would be no harm in you doing so, once the deadline was reached.

If you're very paranoid about arrest you could always set the timer to a shorter interval such as every 12 hours.

I think the idea of a nuke password is an excellent one, Kali Linux has a similar feature. Perhaps we should look into it!

Recondite49 · 20-10-2014 3:53pm

Update : My august colleague has pointed out that you could indeed get around the issue outlined above by simply renting a second Virtual Private Server running the same code but with a dummy password.

If you're asked to hand the details over, then you can happily do so with impunity. They'd have no way to prove it was the wrong one and even if they recovered the data they'd have no way of knowing it was the wrong password.

Software "dead man switch"

Comments