This looks like useful software. His claim that it's now integrated into systemd is not supported by the patch he links to, though. Based on the systemd upstream patch, it looks like it just locks if a certain manufacturer of forensics tools are connected. The github repo you've linked locks the screen on any USB HID attachment, which seems much safer.
I built a program that automatically locks my OSX machine when I get far enough away from it. It uses iBeacon ranging and I have the beacon in my pocket. Debated on sharing with others but I never managed to clean it up enough to be proud of sharing it.
There's a program for Linux that does the same, but using your phone (or other Bluetooth device) called blueproximity. It had a slight tendency for false positives, though - sometimes it locked the screen even with the device less than a meter away.
I used blueproximity successfully with my Linux laptop. I bought the smallest bluetooth headset I could find ($25), removed all extraneous parts, and carried it on my person (not my bag). It was so small that I didn't notice it. Effectively like two-factor authentication for unlocking my laptop.
It's unwise to use your phone for this purpose, because a phone and laptop might both be swiped if you're not holding on to both. This has happened to folks at cafes or on mass transit in the Bay Area.
I've tried to use blueproximity at some point (mostly for convenience because I sometimes forget to lock my screen), but the range of BT devices is too large for comfort. I could be anywhere in my flat or in the medium-sized open plan office at work and the phone in my pocket would still be in range.
Have you tried configuring it? It has a slider that you can adjust to set a minimum power level, so that if the device is too far away it locks anyway, even if it can still detect it.
I had a laptop once that for some reason wouldn't use the battery even on a full charge. So, naturally, as soon as the power cord was pulled out, the laptop crashed.
Would make for a pretty good DMS; being deceiving with a battery attached and the OS reporting a full charge.
I wonder if there's a way to modify the mainboard (knife a lead or something) to be incapable of using the battery while still charging and the OS still being able to get reporting data.
> I wonder if there's a way to modify the mainboard (knife a lead or something) to be incapable of using the battery while still charging and the OS still being able to get reporting data.
Why go the hardware route? The AC adapter state is reported to the operating system; for instance, KDE on my laptop plays a sound when a blackout cuts the power to the AC adapter. It should be simple to have something else monitor the power state and tell logind to lock all screens on AC power loss, or even force a shutdown if you're paranoid.
Not that it would help much; there are devices which can keep the AC power on while a computer is unplugged and transported, even for desktops (which have no internal battery). Nothing prevents these devices from also being used on laptops.
Even then I would still consider it somewhat impractical as it means battery dead = computer locked. And depending on how it's programmed: forgot beacon/phone = computer locked.
For this to work as a dead man switch, it will have to trigger the lock the instant there's two of that signal. Otherwise one simply has to sniff bluetooth then copy your signal.
Tails, a "Live CD" operating system which relies on Tor for all communication, does something like this at the OS level: If the media you are running Tails from is removed, the OS immediately writes over itself in RAM and shuts the system down.
Still capable of being worked around, but looking into that may help identify how to best implement a dead man's switch.
To me a simple 'device proximity' check described in the article would not work if an adversary forced you to remain near the computer.
A 'vigilance control' device would work as intended in these cases - a message is issued to the user (possibly via covert means), and failure to respond locks the device:
Dual Core (nerdcore rapper) wrote a bunch of anti-forensics scripts a couple of years ago, some quite kooky, which he presented at DerbyCon. Talk is worth watching [1], and the code [2].
A bit different but I've considered releasing all of the stuff i own, certain accounts etc. into the public (or into the hands of some trustee) after i die + some specific period of time. I would need to automate everything i have and that task is daunting for something I wouldn't even get to enjoy.
It's kind of pointless. If the police have already identified you as a target, there are too many other tactics they can use. For example, they could just set up a hidden camera that records you when you are using your PC.
If they observe the computer locking upon you removing the FD, wouldn't they induce the connection? Unless it irrevocably makes the system inoperable, I don't see this as solving for the larger problem.
Using dm-crypt/LUKS, there's a very fast and total wipe to execute when sensors fail.
Let's assume that /dev/sdb1 is the LUKS volume. First backup the LUKS header: "cryptsetup -v luksHeaderBackup --header-backup-file=/tmp/LUKS-header /dev/sdb1". Then encrypt (gpg -c) the LUKS-header, and anonymously stash a few copies online. This is the weak point. You must remember where at least one of them is, and also remember the passphrase.
How about "head -c 1052672 /dev/urandom > /dev/sdb1; xinput set-int-prop 2 "Device Enabled" 8 0; xset dpms force off; xscreensaver-command --lock; sync; echo o > /proc/sysrq-trigger"? That way, the keyboard and display would be gone while sync was completing. Also, does rebooting protect better against reading RAM than shutting down?
I was thinking of a voice-activated command that locks the UI while it nukes everything. But while this is happening, it keeps a safe image of the desktop up with basic mouse functionality, so the user doesn't know it is doing anything for a little while.
Of course, I have no use for such a thing, so I would never waste my time implementing it...
I thought about this too when I read about how the FBI seized Ulbricht's laptop. I decided that a simple string isn't sufficient. You want the loop to be either a conductor or fiber optic, so that the system can detect when the cord is cut (not just when a USB device is pulled out).
How about a lanyard that has a magnetic connector (like Apple charging ports). So it just a small amount of force to disconnect, but easy to stick back together if you forget it was there when you got up to visit the rest room.
Another thought, what about a little coin-sized watch battery device that does bluetooth low-energy. Press a button it locks your computer (or triple click wipes something, etc).
You should use the scenario of a pair of strong, well trained soldiers physically holding you or otherwise preventing you from performing actions. So anything requiring being aware that you're being raised then doing something like triple click might not be feasible.
I think a system would need to highly tend towards false positives, giving you a short ~5 second grace period to perform some positive challenge that things are OK.
And if this means that every day you end up accidentally having to reboot and start up Tor, well small price for physical security. But really, you should be far more focused on getting your online opsec right so you don't have to worry about thugs. If they're physically grabbing you it's very likely game over.
One countermeasure would be to find people and pay them anonymously to look like you. That is, proxy through their laptop, maybe even have them do some lightweight writing or chatting. Use their life details to leak things, like about weather or other local goings on. Essentially using them as a canary. If they get tackled, you know it's time to burn everything and hide.
A lanyard with a magnetic connector doesn't suffice. If the enemy cuts the cord, the magnetic connector won't release and the computer won't know anything has happened.
If the enemy cuts the cord, the loop of wire in the cord will be cut, and hence the computer will know something has happened.
(i.e. you have a lanyard with a magsafe-like connector with two pins. There's a resistance wire that runs inside the lanyard from the connector, up through the loop, and back to the connector. The computer checks that the resistance remains the same.)
If you want to get fancy, you can embed a RC network in the lanyard and have the computer sweep frequencies measuring reactance.
I like the idea of having a separate decryption device. OS reads encrypted data from hard disk, sends it over an encrypted link to your cell phone, which partially decrypts the data block (using one pass phrase), and sends it back over the encrypted link to the laptop. OS driver then finishes decrypting that block using a second key before passing it to your program. Writing back data just requires a public key, so write operations don't have to go to your cell phone. The idea is that your drive would never be fully unlocked, and the computer wouldn't ever have the full decryption key on it (neither would your phone).
Add in the always-on voice recognition that some Android phones have, and have the key wipe itself as soon as it hears "Freeze... FBI".
What you want is an RFID keyfob/detector. There used to be a writeup on a homebrew version of this at http://hackaday.com/2013/09/07/hidden-rfid-reader-locks-work... -- but the link that article references is rotten now. A sufficiently motivated person should be able to dig up instructions somewhere.
A few years ago there were companies that did this for most operating systems, and fairly inexpensively too, but I'm having trouble finding them now.
A simple readonly RFID tag - agreed. But think "smartcard with wireless power transmission" like [1]. These should be able to ensure cryptographically secure communication and identification. At least MitM-attacks without physical access to the card should be unfeasible, right?
I don't think perfect security needs to be the goal here. You just need to have your device automatically protect the data on it when you're separated from it -- whether it's the state in suits, or just random laptop theft in San Francisco.
If you're up against an enemy capable of realizing ahead of time that you've RFID-protected your device, and capable of cloning your RFID tag without your knowledge, then you're probably screwed no matter what you do.
This might work once, for somebody. Then law enforcement would understand what it is for, what it does, and cut the lanyard/string instead of removing the usb stick before apprehending the device.
Independent of, and in addition to, other locking schemes, how about an active process that monitors for either high acceleration (the laptop being moved) or noise above a certain threshhold?
I remember writing a script at some point to lock the screensaver in case of high acceleration or if the laptop is tilting by more than a few degrees. The idea was to lock it if was snatched (or just moved around).
However, that would only be effective against a petty thief and not against a forensic team. In that case you'd probable want to additionally flush the filesystems (if you care about data integrity in case of a false positive), overwrite the encryption keys in memory (maybe on disk as well, but then there's no coming back without a backup) and shut down. I wonder if the init scripts prompting for the password, cryptsetup and the LUKS subsystem have been designed to always overwrite copies of the entered password and decrypted keys ASAP.
While a dead man failsafe is a good idea - facial recognition would be my preference for situations like that described in court, the bigger issue is compartmentalization. Whole disk encryption sounds good, but the flip side is whole disk decryption and that doesn't sound so good and didn't work out well when it mattered.
Based on the testimony everything was encoded from the same one time pad so to speak. That kinda' misses the point of one time pads.
Anyway enough thinking like a criminal or a spy for one day.
> If the the computer loses connection to the device, it auto-locks.
If there are any Apple product developers listening, I'll definitely buy the next iPhone if part of its feature set is that as long as the phone is on and in my pocket, I never have to type in a password to unlock my computer(s). It would be even better if that feature was extended to developers so any developer could use the fact that my phone is in close proximity to my computer as grounds for successful authentication.
I remember reading about that if HDD can be put in a magnetic field, it will be destroyed. If my door/passage can be set to generate magnetic field enough to destroy HDD, then as soon as authorities take out the computer out of your home, the HDD will be destroyed.
You probably read about it in Cryptonomicon (I know that's where I read about it), but I don't know if Stephenson made it up or not.
As to practically It seems quite unfeasible. First of all since magnetic forces fall off according to the inverse square law, you're going to need a seriously large magnet to for it work at say 1 meters distance or so. You're basically going to have seriously retrofit your entire house, and it's going to be very hard to hide. Secondly and more importantly even the most powerful commercial hard drive degaussers require that the drive be in contact with the magnet for up to 10 seconds to guarantee that all the data is erased, so someone just walking through a door isn't going to be in the field for anywhere near enough time.
Unless you can get your hands on a powerful magnetic monopole, the field falls off with the inverse CUBE of distance. (Note: noone has so far managed to get their hands on a magnetic monopole, powerful or otherwise.)
Well, you could just use a solenoid to actuate and make lots of metal contacts. Or you could use some sort of iron filing injection system that litters iron everyone in the computer.
The problem then is false positives. Only 1 mistake and kablooie.
As a student, I visited the High Field Laboratory in Dresden (Germany). They have one of the stongest magnets in the world, I think it was 80-100 Tesla, and supposedly stronger than a similar one in Los Alamos (although the one in Dresden could only be powered up once, and would vaporize immediately). The whole setup was surrounded by ~3m thick concrete walls.
And right next to the magnetic coil, behind a small blast shield, was an old PC... an early 90s beige box looking like a 486 or early pentium, controlling some measurement equipment.
We asked how that worked, and whether there are any problems with "EMP" with the hardware or the hard disk. The answer was, no, the PC works fine. But you have to be extremely careful not to leave any screws or screwdrivers around, because "above xxx T/m field gradient, iron starts to fly", as evidenced by lots of scratches on the concrete.
That's also part of the fiction book "Cryptonomicon" by Neal Stephenson.
Looking at conventional hard drives we see pretty strong magnets a few CM away from the platters so you'd need something freaking huge to wipe the drives passing theough a doorway.
I believe there was a post just yesterday for a piece of software that would lock and unlock your machine based on proximity to your phone through bluetooth.
I don't know if I'm missing something here...
but what's wrong with running your laptop directly off the mains without a battery and unplugging the cord if necessary so the computer shuts down?
Everyone has their own unique heartbeat signature. What we need is a way to hear that heartbeat, and if its not the right signature: erase/destroy/etc.
I think you're on to something there. Biometrics might be the way to go here, but is difficult in implementation.
First security in layers is the best option.
1. USB HID watcher that shuts down system when plugged in. If we use a mouse, we can exclude that. But any other HID, shutdown -r now.
2. Fingerprint scanner. It's not foolproof, but does make duplicating fingerprints a pain if you dont cooperate. And jailcells usually have concrete. No more fingerprints :)
3. Most laptops have webcams built in. I'm looking in OpenCV FaceRecognizer class to see how it works, and if it's viable for fingerprinting a user. We could also do other checks, like 3d facial recognition over multiple video frames.
4. We could also potentially use the accelerometer built in laptops. When others have made a sshd knock script, we could provide a knock script to the physical device.
5. Lock on ac power removal. Simple and effective, unless the enemy has AC separation tools.
There's a few ideas. And of course, mix in live filesystems in ram, or virtualbox funniness, and you're in business.
