There are mentions in this thread about false positives, risk of data loss, others. This made me think of Star Trek's use of a self destruct phrase. Obviously their method is too slow, but you could have a "duress" phrase and a "all clear" phrase.
User-Defined Phrase: "Please dont kill me", activates "duress" mode.
- A daemon listens in the background for a phrase of your choice. When detected, your laptop makes a sound effect that is not out of the ordinary for others to hear, but not something you would expect it to play when self destruct is activated. Git repos are committed/pushed with a duress demarcation code to an alternate branch. Your encrypted volumes are dismounted, buffers and caches cleared, camera and microphone start sending small chunks of audio/video to a destination of your choosing. Instructions for playback from your cloud of choice are emailed to emergency contacts. If you do not give the "all clear" in a user-configurable time period, the laptop does user-defined things like wiping encrypted volumes after giving an optional warning sound, optionally sending eeprom codes to brick the BIOS or replace the BIOS with a tracker and setting the screen to say "Stolen From User-Defined String, User-Defined Phone Number" after giving an optional warning sound. All of these actions could be optionally spaced apart based on risk, probably defined in a key-pair text file or json file.
- Giving the all clear code disables this behavior and your ship does not self destruct. The system plays a sound to acknowledge "all clear". Emergency contacts are emailed the all-clear, but audio/video continue to upload for user-defined time in the event your were forced to give the phrase.
Perhaps newer cars could also have this feature? Are there any existing open source projects that could be adapted/bent to accomplish these things?
BusKill does not ship with destructive triggers. The current app is limited to locking your screen. Future releases will include soft/hard shutdown.
We do have a "LUKS Header Shredder" trigger (which we call self-destruct as it renders all the data on the FDE disk useless), but we (intentionally) don't include it by default and raise the barrier of entry because of the risk of data loss.
We'll be publishing a more detailed write-up on the LUKS Header Shredder in 2 weeks. You can subscribe for updates on our website (buskill.in) or the campaign directly (crowdsupply.com)
Does it support destroying keys in hardware tokens? Would be nice if plugging my yubikey into a specific USB port automatically destroyed all keys inside it.
You really want such devices - i.e. Devices with duress modes - to act normally, as much as possible when in those modes. If they clearly destroy themselves immediately you often place yourself in much greater danger. If anything log them into a sandbox or honeypot that is, as much as possible, indistinguishable from your normal environment but is less damaging for you for them to access.
I always thought that a lock screen with two passwords would be an interesting idea. Say the BusKill locks your system and sends a request to a server. If you don't enter the correct password to abort the script within a few seconds, it will run on your server, which sends a distress mail/call to emergency contacts, revoke all ssh keys/passwords etc.
If however the distress password gets entered, the script still runs, but the system unlocks into a virtual pc or another account which is not suspicious.
Truecrypt had this exact function - one password would decrypt your drive sort of on one end, and start the OS there, another password would decrypt the drive on the other end, and start the OS installed there - so you always had perfectly plausible deniability, since the drive taken as a whole looked like a completely normal encrypted drive(in fact you could accidentally destroy the hidden partition by overwriting "empty" area while booted into the non-secret OS). Always thought that was super cool.
The paranoid dystopian counterpart is that you cannot prove you don't have a second partition either. Might get awkward if someone decided to compel the second password on less solid evidence. If you're not actually using the feature.
There was a case here in Germany where the police report revealed that they apparently spent a lot of time looking for evidence of a hidden partition/encrypted data etc because a PC owned by single man with zero evidence of porn was unusual. (but didn't find anything in the end, and didn't claim anything they didn't have evidence for)
this is why you should actually have "signs of life" and something _slightly_ illegal on your plausible deniability partition. Just enough dirt to get you into trouble, but not too much trouble. If you're squeeky clean, you get the rubber hose cryptography treatment.
If you want those signs of life to be convincing, it should include all kinds of history without long gaps, such as:
- email, including recently received and sent emails
- web browser history
- system logs
- software updates
In practice, I think it’s impossible to do that. If the police discovers, for example, that your system logs show your machine was off for a week, but they also just saw you reset it, what do you tell them?
Yeah, there was a tutorial online. Thought it was a good idea in case my laptop got stolen. Don't need to be an expert to click through an automated wizard, do I?
this is a real problem, yes; i find encrypted volume in swap partition actually provides better plausible deniability. "I was told it should be 2x the size of RAM," - says a guy with 512G of ram and swapoff.
The only problem is this is sort of obvious from a forensics perspective. Person is using truecrypt, they boot it up for you, and the partition is only half the size it should be.
No, like the other reply pointed out too - it's not obvious. The first password unlocks the entire partition, the hidden one is just within the "empty" area of the drive. If you write a sufficiently large file while running the OS you could just overwrite and destroy the hidden partition without knowing that you did so. It's also impossible to tell that the hidden parition is there because encrypted data is indistinguishable from encrypted empty area of the drive.
The question always was what kind of attack are you trying to guard yourself against. I imagine top level agencies have a way to crack truecrypt/veracrypt encrypted volumes, but I also imagine they aren't using that capability against just anyone to not show their hand and risk the issue being fixed.
Your parent seems to point out that's not how it works: you've got access to the ful partition either way, meaning you can accidentally overwrite the other partition.
If I remember right, the hidden partitions are indistinguishable from random data on your disk and it was necessary to provide an offset to the first block (or whatever) so it could be decrypted. You could easily overwrite it accidentally because it just looks like free space.
Disclaimer: I know next to nothing about OS'es and login and so on.
I had an idea once, would it be possible to set up two sets of passwords? One to properly unlock your device, and one to trigger either encryption or scrambling of the data when entered?
Of course, but this won’t be easy with commodity hardware. Standard practice is to use write-blockers to prevent this kind of tricks, but of course you can prevent write-blockers by integrating your storage.
I think you could get a pixel phone to do this in a useful way.
Yep. Pretty much all nerd solutions to physical or legal threats are genius but also worse than useless. Here's a $5 hammer, hit him with it until he gives us what we're looking for, so goes the comic I saw once.
This is effective against legal threats. I remember at least one case in my country where one person was saved by truecrypt. They even asked the FBI for help on decrypting it.
Hopefully civilization is not so far gone that police will imprison, torture or kill for failing to incriminate themselves. If it gets to the point cold-blooded torture is on the table, you'll probably get killed anyway.
That's also why Assange (and others) developed the Rubberhose file system[0].
It's based on the game theoretic idea that if your adversary has no way of knowing how many hidden partitions you have, then you have no way of proving to them that you've given them all your secrets.
As such, there is no benefit to you revealing any secrets under torture, because the torture would continue even after you've told them everything, therefore there is no point to them torturing you in the first place.
If they don't understand game theory, that just means they will act sub-optimally. In any case, the correct strategy for the user is still to not decrypt any partitions, since, as you say, the sooner the user stops decrypting, the sooner the torturers give up.
That seems like a pretty foolish assumption to make of your adversaries/captors.
If a torturer has good reason to believe you have valuable information regarding subject X, they'll simply torture you until they possess that information or you die. If you don't possess the information, you're screwed. If you do possess the information, it's likely that they'll stop after they get what they're after.
A state liable to torture you may simply kill you instead. Or torture you and kill you, even if it serves no particular purpose.
If you're in the business of protecting your secrets against torture then you need to also be protecting them against death because that is grimly inevitable.
That's not really making the case for clever crypto solutions. Assange is rotting in prison and is probably going to die in the US in the near future. What secret information could he be protecting at this point?
I think at that point your laptop is the least of your concerns. I don't let people get that close.
As a side note, Emerson Knives makes a really nice highly durable set of pocket knives with a "wave" that forces the knife open when you extract it from your pocket. It's many times faster than a switch-blade but legal in most states and durable enough blade and handle to pry anything apart. Check with the laws in your state.
For the Yubikey owners out there, a while back I wrote a blog post on how to achieve a similar setup using a Yubikey [1]. All it requires is a lanyard to attach the yubikey to.
Anyone needing a Yubikey would be very lucky to see them just hanging out of a computer, would just a bonus for the evil actor to also ruin your day and pull it out.
The way I've implemented this is that the yubikey is on an extensible lanyard which is almost always around my neck. So while an evil actor could definitely unplug it to ruin my day, stealing it would be a tad bit more difficult :)
In any case, the primary idea here was not to prevent stealing the laptop, but to prevent walking away from the laptop without locking it.
Or you could attach the Yubikey to your belt (with a clip) and connect it to the laptop with a USB cable. Then all they could steal is a useless laptop and a cheap cable.
Good to have if you run a dark net marketplace or a political disident ring from public libraries.
An additional refinement is to autolock the device if a certain personal key combo (ex. Shit - vol up - vol down) is not pressed every few minutes in response to an audible click. If not unlocked in a minute or so with a complex password, the device halts to a disk encrypted state and unpowered ram, minimizing the window attackers have to recover RAM state.
Wouldn't it make sense to remove the battery on your laptop entirely? With a modified magsafe-like power cord any attempt to grab the machine hard-kills the system and RAM begins degrading immediately. Epoxy over the screw terminals would also delay an attacker long enough to prevent freezing the RAM with compressed air to try and dump RAM via an exploit kit.
I always wonder if you could make a similar device work for EU plugs. You can't wiggle a EU plug out an 8th of an inch and have exposed line voltage, so I imagine you'd need some sort of trick to make it work.
For anything with more than one socket, you just plug in a second cable into a free socket, once the phases are synced up unplug the extension cord or cut the socket free.
For singular sockets straight into the wall, unscrew, clip on connectors with a V shaped knife and same as above.
Although when I was working we usually would take images onsite before even considering moving the devices.
It's definitely not bullet proof but I've set up my laptop to lock when Ethernet or the monitor is unplugged or any new USB device is plugged in.
This stops most but not all live imaging.
Putting epoxy around the top and bottom edges (where the retention clips are) and the right edge (where the contacts are) should make it extremely difficult to dislodge, but not impact the thermal performance of the chips (the black rectangles).
I've noticed many lower end have one soldered and one removable. Drives me crazy because then you end up with more RAM but less performance, so have to choose which hit is worse.
A lot of laptops either refuse to run or heavily throttle while running without internal battery. I know pretty much all Mac portables do it.
Basically the internal battery is used as a buffer for power peaks. So the laptop can use more than the adaptor can provide for a short time. If it didn't throttle it would become unstable.
I think the idea is that you might only have about a second to kill the device. Yes, you can throw your computer in a bathtub of saltwater or whatever but that's not really the point.
How can you be charged with tampering with evidence by epoxying your ram dimms?
It's not as though you tampered with the device after the confiscation. Intent is also hard to prove on such a thing. I didn't want my dimms to fall out at any time if the machine was dropped is pretty good plausible deniability.
The combo solution is not good enough, especially if you are in public.
If you can be observed to use the combo (which you would have to be using regularly) somebody else could be pressing the combo or they could insert USB device that can generate the combo regularly.
I would also add that locking your laptop is not safe enough if you are serious about this. There are devices that can exfiltrate information from what I understand almost every operating system through USB.
With QubesOS. I just tried adding a keyboard and it simply showed me a pop up saying a USB keyboard has been attached. It won’t work until I attach it to a qube.
If the computer is locked, typing commands will not do nothing. If computer is unlocked a person could do it manually without USB by just sending them over internet or storage device of choice, no fancy keyboard+mass storage device required.
Of course not, but then you're saying USB is a security flaw.
My point is that given how universal USB as long as a device can do both input and output it's going to be very hard to stop some exfiltration from being possible.
Do you really think a bug report should be filed on all OS's for allowing USB drives and keyboards to be plugged on a running system?
Exactly. You need something not for when your laptop is removed from you, but when you are removed from your laptop.
Also, if you are being targeted this hard you need to have something for when you are left in front of your laptop and a gun is put to your head. Or the attackers threaten the welfare of your family.
> You need something not for when your laptop is removed from you, but when you are removed from your laptop.
Yeah, this wouldn't have saved the admin of Alphabay, a now defunct darknet market. The FBI staged a car crash outside his house so when he'd come out to see what was going on they could arrest him and likely get to his laptop while it was unlocked. Then again, he really shouldn't have left his computer unlocked.
That seems like a great expense to go to for the sake of a possibility the guy might do more than peek out of the window and then go back to what they were doing.
Surely there were a bunch of other options to consider before "let's stage a car crash"?
> Phirippidis told the audience that the bureau managed to corner Cazes and arrest him while he was still logged in as the admin of AlphaBay by ramming a car through the front gate of his home in Thailand.
If someome is pointing a gun at you, it's probably too late to do anything. There should probably be cameras and motion detectors monitoring the perimeter in order to provide early warning.
The second part is harder to defend against. I didn't flinch when LEO pointed a loaded gun at me and threatened to shoot me, but as soon as they threatened my wife I told them I would sign whatever fiction they wanted to write, which I did. It just took me close to 8 years of being in jail to get a judge to look at it and tell them off and throw out the document.
Yes. Stupid retards did it on video though, otherwise it wouldn't have been seen at all. This was after over an hour of threatening me and refusing my right to silence, not letting me speak to my lawyer, etc.
It is. I filed suit for a lot of different claims related to this, the only one that stuck was the coerced statements. I filed in 2015 but it is still working through the federal court.
I once wrote a script to automatically lock my computer if I got too far away from it, back when I was wearing a bluetooth wristband.
I had a program like this back in PowerBook days. It automatically unlocked the computer if a specified Bluetooth signal reached a particular strength, and locked the computer again if the signal strength fell below another threshold.
It worked great, when it worked. It had maybe a 70% success rate, but that was good enough.
If the feds are pinching you for computer crime in a public space, this is exactly why they'd handcuff you, but keep you within ~10 feet of your laptop.
You are assuming the signal is strong enough to be read at a distance. I just used the RSSI, and going away a few meters was enough. Moreover, since that was just a nicety in case I forgot to lock my computer during a corridor conversation, I could get away with a longer timeout.
A more sophisticated implementation could be done if you can write software on the device. A PineTime would be perfect for this.
I am not sure why mention iOS specifically, a phone is easily forgettable. Moreover, you don't really need to rely on any location API provided by the system, even if UWB or Bluetooth Location Services would do wonders for this, a simple RTT latency measurement or RSSI value should be enough.
No, I got rid of it for multiple other reasons: started using a mechanical watch again, got rid of all proprietary software on my phone (though I used gadgetbridge for a while), realized anybody could just track me as the band was broadcasting the same MAC address everywhere.
I also got multiple LG watch R, I'm probably going to fiddle a bit with them when I have time, hopefully mainlining them and porting postmarketos over. I'm open to trying again with those. In the end, I don't really have sensitive documents on a laptop (besides work-related confidential stuff), so I'm not sure I'd crank paranoia to 11.
As for my phone, I often pull it out of my pocket and leave it on my desk, or abandon it somewhere, charging or powered off -- I should probably be more careful with that, but people know to expect some latency when contacting me.
Or, maybe just add back the Kensington Security Slot and attach the laptop to yourself/desk with a strong wire and not have your laptop yanked in the first place.
I understand the first part of my idea is dead in the water, we hardly get additional ports, let alone a slot hardly anyone will use. But I would like to see a way to retrofit a KSS on a laptop.
>Or, maybe just add back the Kensington Security Slot and attach the laptop to yourself/desk with a strong wire and not have your laptop yanked in the first place.
They could still yank you. It would pretty hard for you to execute the self destruct sequence after the undercover fbi agent knocked you over from your chair.
Locking your laptop to a table in a cafe doesn't seem like something most folks would do. Working in a cafe was the use case I imagined when I saw this.
Yeah I still don't get this. I hate that I can't secure a Macbook. But pretty much every cheap laptop comes with a kensington lock hole.
Sure it is not _super_ secure but being able to leave my laptop for 1 minute in a public place is nice. Instead I have to put the macbook in my backpack and take it with me.
It would be interesting if you could combine the two ideas. Physically secure the laptop to the table, but also lock / shut down / wipe the drive in the event that someone cuts through the wire.
>This device would have kept Ross Ulbricht out of jail.
This device would had made a difference in the initial library-swipe confrontation, but would had definitely not kept Ross out of jail by any means (even that day)
He would of avoided jail (that day, the agent would have noticed the bump-kill-switch and averted recon)
He would had always of went to prison, even if they didn't get his HDD unencrypted. He used his personal email to promote his Mycology website, had the Obama administration to contend with, and was the first to sail westward.
Free Ross (The Department of Parks and Recreation)
Reminds me of a coworker who had their iPhone set to "wipe after 10 bad pins". Took about 2 days before their 5 year old happily typed the wrong pin 10 times and wiped it.
There should be an exponentially increasing delay for such a system, so that the phone would make you wait hours (or days) before letting you make your 10th guess. That would require the 5 year old to not get bored of the useless phone, and the owner to not find the phone (and enter the correct code) for those days too.
Also, it would make sense to include a simple proof-of-intentionality system, like the old Nokia keypad unlock feature to prevent pocket dials. The phone could prompt you to type a displayed 4 digit code before typing your actual PIN attempt, for example.
My old job had wipe after 3 (or maybe it was 5) bad pins within N minutes as the required security setting for company phones. The thing I learnt from it is that wiping your phone actually isn't that big a deal and if you've set it up right you can pretty quickly be back up and running.
I'm getting closer and closer to this reality... iphones are basically there, with icloud backup. Have been trying to get less attached to any OS installs, and be fast at building up from a fresh install. Seems hard to even trust your own desktop after a while.
For most people, availability is the key part of security instead of confidentiality, since for them losing their data is both much more likely and much more painful than someone getting a warrant to take their data from Apple.
The stress I had on 3rd attempt just to discover it is actually 5 attempts... Kind of helps being more conscious about having backup of everything regularly
Blackberry required you to enter the word "Blackberry" after the fifth try, which would at least prevent butt-dialing from wiping the device. Some kids might figure that out too, but at that point I suppose you had the choice to use a condom and decided not to...
Here a story. I got BB RIM 850 when I was 15ish years old, it was my first communication pre-smartphone device. I stupidly set up to wipe my blackberry if input incorrectly after a few times, and I did this within minutes of first time using it. You can imagine what happened in the next 10 minutes... Yes, I forgot my complicated password and it got wiped. And that rendered my brand-new RIM 850 useless. So, I have to wait 10 days to get a new one.
Useless? Perhaps the functionality changed later; when I used one, entering the password wrong 10 times was the easiest way to factory-reset the device prior to handing it to a new owner. It wasn't useless, just palimpsest.
Presumably the people who opt into the self-destruct option are more concerned with the possibility that they might need to self-destruct and not be able to than of possibility of false alarms.
If you've already planned for the possibility of self-destruct, a laptop can be a very transient device. Maybe the only important thing on the laptop is your bitcoin wallet key, but you also have a physical copy stashed in a lockbox somewhere. Maybe you're only using the laptop for its browser, and you've memorized all the passwords you need to enter.
Someone snatching the laptop might be doing so to grab the one keyphrase that you logged in with. The actual device is unimportant to you, then.
Hi, Michael Altfield here (founder of the BusKill project).
As described on the crowdsupply page, the cross-platform GUI app (as opposed to the udev rule for which BusKill was originally designed) currently only has the "lock screen" trigger. In the future, we'll add a "shutdown" trigger.
While we have developed a "LUKS Header Shredder" trigger (what we call "self-destruct" trigger -- as it renders your FDE disk's data permanently inaccessible), we will never ship that directly with the app by default.
There's definitely a use-case for it, but most people probably don't want it. For those that do, we're publishing a guide on how to use the "LUKS Header Shredder" script (tested on Ubuntu and QubesOS) in 2 weeks. For updates, you can subscribe to the website's RSS feed, our website's newsletter (buskill.in), or the crowdsupply.com newsletter.
There are any number of ways to do this, but one is a LUKS encrypted file system and "self destruct" is wiping out the LUKS header and halting. Only the backup of the LUKS header (not with you at the time!) will restore the data.
Yeah, I have that on my servers in case somebody tries to hack them. There is a secret to logging to my machines and if you miss it the machine self destructs in a reversible way. Can't give more information but it is pretty easy to boot it again.
One thing of note here, don't put LUKS header on any kind of flash (like SSD) or SMR HDD.
SSDs and drive-managed SMR HDDs do not immediately delete the data.
If the system is interrupted after data is deleted there is a good chance you can still get it back.
On a normal HDD you still have to wipe the data (ie. physically overwrite it half a dozen times). But this is not possible to execute reliably on SSD or drive-managed SMR HDD.
You can reset the SSD's internal encryption key via hdparm, too, once you're done "deleting" luks header. It takes somewhat longer time, but if the SSD firmware is not completely stupid, it will be the equivalent of deleting the LUKS header and running TRIM on the whole device afterwards.
Reversibility is not a feature of destruction, lexically-speaking. A better description might be "locked".
More importantly in this case: if you are able to reverse it, you can be compelled to reverse it. This is no different than having a secret passphrase.
> if you are able to reverse it, you can be compelled to reverse it.
An interesting way of strengthening such a system is to split the recovery code between multiple people in multiple jurisdictions. Convincing them to hand over their piece of the key could require various levels of proof-of-free-will, ranging from "Hey, I need those numbers on that piece of paper I gave you" (asked on a video call, in a public park) to "I've booked a flight and I'll meet you at the agreed place next Monday at the standard time".
These approaches can be combined with a protocol of "If I use the duress phrase, then give me a fake key and then send a message to the other members of the group / the public / the media that I've been compromised". Of course this sort of system assumes you are part of a wider organisation or at least have friends you can trust to implement all this opsec securely, without adding to your risk profile, but for some people this will be viable.
This is exactly what we do with the "LUKS Header Shredder" script in BusKill. First we lock the screen. Then we use the built-in `luksErase` command to destroy the data in the key slots, then we overwrite the whole header area. Then hard-shutdown.
This script itself was actually an easter-egg in the explainer video at 50 seconds :P
We're just finishing a very detailed write-up on the "LUKS Header Shredder," and we'll be publishing it in ~2 weeks. You can subscribe to our newsletter on our website (buskill.in) or crowdsupply.com for updates :)
Feel like this something similar can be accomplished for Macs using AirTags/Apple Watch proximity to do specific actions via Shortcuts App, instead of just locking/erasing remotely using 'Find My'.
Isn't that already a thing? IIRC you can configure your Mac to unlock if your Watch is in close proximity, so it should be possible to do the opposite when it goes out of range.
I seem to remember Windows 10 has a similar feature. You can pair your phone with it, and it supposedly locks automatically when the phone goes away. I've never seen it work, though...
macOS Monterey added a "Erase All Content and Settings" feature that works like the iOS versions by deleting the encryption key, although as a result the feature only works on T2 and M1 Macs which encrypt the data at rest even without FileVault.
It wouldn't surprise me if Apple imports more emergency wipe features into macOS from iOS.
Interesting. The site implicitly references the arrest of the Silk Road founder, using the alternative acronym "Department of Parks and Recreation". He was arrested by having his laptop literally yanked from under his fingertips in a public library.
Yep, I think so too, it wouldn't have protected him. Whoever was in charge of the operation would've noticed and identified this killswitch, and prepared appropriately. The suspect would be incapacitated as a matter of priority to prevent him from activating it.
Honestly, that sounds a little too "CSI". If the lanyard is attached to a wrist, the chance that someone could be suddenly incapacitated in such a way to avoid a jerky movement that breaks the connection is pretty small. "Knock them unconscious" is a TV trope.
But if you even notice the (thin, dark?) bit of cord between a guy's wrist and laptop computer when he's working on it at a table in the library, wouldn't your first assumption be that he's a bit paranoid about having it stolen and therefore has strapped it to himself by the Kensington Lock slot? So you'd be quite OK with stretching it as far as it goes -- only noticing later that in this case you could "stretch" it beyond that, popping out the USB connector. (Actually, wouldn't a lot of people in a position to do this be only too happy to give it an extra forceful yank, just to hurt the Eevul Hacker?)
Maybe there needs to be an accompanying/alternative device which can be worn in a shoe and detects toe movements. It would probably have to be wireless, which would introduce false positives or false negatives, (and part of it may need to be attached to the user's ankle, due to size constraints), but it would at least defend against an attacker who could physically restrain the user.
I can definitely see policy to tase or otherwise subdue with less than lethal means being OK'ed by authorities and judiciaries. In principle you'd hope this was rigorously established beforehand on per case basis but that historically has not been held to standard long if they end up doing it with any frequency.
This is getting into the security question of what your threat model is. If you're seriously expecting a nation-state intelligence agency to be after your laptop, I'd really, really recommend not having anything on your laptop because unless you've got your own security team they're going to find some way to get it and will observe you to see if you're using something like a killswitch first.
Instead of moving the laptop you move the user. Unless the kill switch is connected to the user or you remove the user too slowly and allow them to manually trigger the kill switch, you may gain access to the laptop.
That's a very interesting proposition that looks completely insane to my European eyes, but I can certainly understand the philosophy behind it.
So the premise is that if using kill-switches becomes common among criminals, we can expect suspects in computer crime cases to be apprehended in ways such as unexpectedly being hit in the head with blunt force trauma, gassed with anesthesics or similar violence. Seems like it would challenge some pretty central democratic principles!
It's probably better to be beat up or tortured by a state actor than to rot in prison for the rest of your life if they get hands on proof of your culpability.
What I'm saying is that they wouldn't get a chance to use the kill switch because they would have focused on "containing" the suspect before they could activate it.
In theory, I agree. But it is somewhat akin to saying - why use strong encryption since a three letter agency can just brute force your device. If you're in that deep, maybe it won't help. But for the average reporter in a hostile zone, keeping the local police from snooping on their machine would be preferential.
We actually agree completely. This thing may be useful, and certainly something to think about if you live or travel to places where electronic devices are often snatched and, like you said, prevents casual snooping since the local police WILL have to escalate to violence.
I just don't think it's going to prevent a Silk Road incident and could make it worse for the suspect.
I disagree. I this this sounds a little too much like a TV show like 24.
The idea that you could completely immobilize someone at a public library so rapidly and without their awareness that they could not even move their arm 20 cm or so during a struggle seems ludicrous to me. Particularly as the kind of person who would buy this device would be setting themselves up with their back to the wall to prevent captures from behind.
I am fairly strong and have wrestled and grappled for over a decade, and I would not put my faith in an operation that required me (even with another agent) to completely immobilize even a weak person enough that I could guarantee they could not trigger this.
This takes a flick of a finger to trigger, or moving your arm a small distance away from the laptop.
> The idea that you could completely immobilize someone at a public library so rapidly and without their awareness that they could not even move their arm 20 cm or so during a struggle seems ludicrous to me.
They didn't "completely immobilize" him, though, as apparently "Ulbricht stood up sharply"[0] after his laptop was seized. However, he did make the mistake of not sitting with his back to a wall, since the agents "walked up behind" him. I guess we'll never know how he would have reacted if they had instead walked up in front of him and tried to grab his arms.
I think you have way too much faith in the reasonableness of law enforcement. There are 20K no-knock raids in the US every year, a significant percentage at the wrong address or clearly innocent people.
This device is indeed clearly designed for a no-knock raid situation, or other surprise grab.
I'm simply saying that, if you're attached to your laptop by a 50cm cable, which of you separate your arm further than that from will lock your computer, it will be very difficult for the agents to guarantee you won't be able to lock your computer.
If your kill switch manages to destroy evidence, that's generally obvious and has two consequences.
First, intentionally hiding or destroying evidence of a crime is itself a crime (self-incrimination is restricted only to verbal statements) of which you can be convicted even if you're not guilty of the original accusation;
Second, destroying evidence in this manner enables the legal concept of 'adverse inference' where essentially the judge can require the jury to assume that the destroyed evidence did contain whatever prosecution wanted to find there, and convict you based on that.
What does "violent criminal" have to do with it? The US (and other jurisdictions ) use extreme, violent arrest methods like no knock raids for all sorts of non violent offences.
> The BusKill team publishes cryptographically signed warrant canaries on a biannual basis.
The canary-002 says:
Status: All good
Release: 2021-06-13
Period: 2021-06-01 to 2021-12-31
Expiry: 2022-01-31
EDIT: Oh, the issue is just that they failed to update the wording of: "We plan to publish the next of these canary statements in the month of June 2021." Looks like a copy from canary-001.
The agents arresting him did in such a way that they prevented him from touching his laptop (by creating a diversion), because they were feared that such a protection might exist.
> The agents arresting him did in such a way that they prevented him from touching his laptop (by creating a diversion), because they were feared that such a protection might exist.
But that's literally the scenario this physical-separation killswitch was designed for.
He wouldn't have had to touch his laptop to trigger this. Quite the opposite.
You must be talking about a different device, because the one shown on this site only triggers if you carelessly move the laptop.
It has no remote part, it doesn't matter how far the user is.
If you're thinking about attaching the trigger to your hand with a lanyard, the agents could easily hold your hand in place, cut the lanyard, ...
I don't understand why people always assume the FBI is brain-dead and could not use countermeasures against devices such as this if they become wide spread.
If done properly the agents grabbing his laptop/snatching it away from him would have severed the power connection to the battery-remove laptop locking it permanently.
I think would work only if the user wasn't at the keys. Plus if the adversary has full access to the hardware then what are they doing under my library table!
It's a specialized tool, but basically the plug get pulled out slightly (which isn't enough to disconnect power in the US), and then the tool goes over the line and neutral pins, which supplies power from what is basically an UPS. After that, the entire plug can be pulled and capped (because you've got 120V across the exposed end of a plug now).
Probably wouldn't work the same in Euro countries which have other plug types.
Windows: Sorry, Dave, we can't shut your system down right now, you have 3 apps keeping it from shutting down and we have 37 updates to Edge Browser to install... Have a nice day.
Forces processes to terminate if they do not respond to the WM_QUERYENDSESSION or WM_ENDSESSION message within the timeout interval. For more information, see the Remarks.
If the EWX_FORCEIFHUNG value is specified, the system forces hung applications to close and does not display the dialog box.
If forced shutdown is a priority, causing a bugcheck would probably be your best bet. This could be part of the USB driver for the device, or you could write a piece of software running as admin to trigger a fail state (like killing wininit or any other critical part of Windows).
You'd have to watch out that you don't let the system store a memory dump, of course, that'd be the exact opposite of what you want.
Currently the BusKill app just locks the screen when the cable disconnects. I've never had Windows block the screen lock with such an error.
The way we implemented the self-destruct (currently only available in Linux), it locks the screen before attempting to wipe the LUKS Header. I imagine we'll do something similar in Windows, so the worst-case would be the soft shutdown hangs but at-least the screen is locked immediately.
Hopefully we can force an immediate, uninterruptible, hard-shutdown in Windows, too.
Why would anyone serious about this be running Windows in the first place? A live Linux operating system is so much better. Tails is designed for this.
Must have if you work in public places in SF. I can barely count how many times I’ve personally or had a friend who’s either had their laptop stolen in a coffee shop or attempted. In recent years thieves even got more brazen and just try to snatch it from you while your hands are still on the keyboard which is perfect for this device. You’ll want to enable full disk encryption for full security.
Reminds me of the story of the arrest of Ross Ulbricht, where his open laptop was snatched away from him in a library by undercover FBI agents, while logged in and chatting as DPR. I recommend reading the whole story, this is in part 2 (https://www.wired.com/2015/05/silk-road-2)
DPR is Dread Pirate Roberts from Silk Road.
“What unfolded next was a piece of improvisational theater. At 3:14 pm, DPR was typing away, writing to Cirrus. Just then, a middle-aged woman and man came toward Ross, ambling along in the kind of semihomeless shuffle you might often see in a San Francisco library. “Fuck you!” the woman yelled when they were directly behind Ross’ chair. As if they were a deranged couple about to fight, the man grabbed the woman by the collar and raised his fist.
Ross turned around for just a second, during which a hand reached across the table and grasped Ross’ Samsung. The petite, unassuming young Asian woman sitting across from Ross this whole time was, to everyone’s surprise, also an FBI agent. Ross lunged for his machine, a hair too late, as she turned like a quarterback for a quick handoff to Kiernan, who appeared out of nowhere—as instructed—to get the laptop. It took less than 10 seconds. From afar, Tarbell was astonished by the elegant choreography of the whole thing. It looked like the police procedural version of a tight jazz quartet.”
Indeed. If what I'm doing is so sensitive I need a dead-man switch (i.e. the consequences of getting caught are very high), $89 to improve my opsec is definitely worth the money.
Actually, Amazon did have USB-A magnetic breakaway components before, but they went EOL and sold-out when I first published my DIY article on how to build-your-own-BusKill-cable last year.
The reason I started making my own was a response to all the folks that asked me how they could get a USB-A BusKill cable since they sold-out (and they also were never available in Europe -- now they are!).
That is pretty much what Tails is doing: If you disconnect the USB drive with the system, it will wipe the RAM and then shut down. However the data on the USB drive isn't modified, so if you don't trust its encryption you should prepare for quick physical destruction and/or disposal.
I can grant expensive (though I don't know for how cheap I could make such a sellable project with free worldwide shipping, while also making profit), but what is comically impractical about this? It's not like the default functionality is to nuke the device from the orbit on disconnect.
You could make one for yourself cheaper, though, if you have the know-how.
Though a basic face detection-based screen lock could be quite more useful and cheaper, at the cost of increased battery consumption.
Personally I have only found cables with relatively weak magnetic power. Where does one find these strong ones, in particular for prices like you mention? It doesn't seem to be a well-advertised property, so it's difficult to tell if they are actually strong ot not :/.
The $59 price still includes worldwide shipping.
> That you have to carry such contraption around and find a place to tie it to.
I mean you are already carrying a laptop, and probably a charger with cables, so carrying a magnetic cable doesn't seem a big stretch. You would put it to the same bag with your other laptop-related accesories.
It is also quite popular to wear pants with belt loops, which would seem suitable for tying this one. Granted dresses and skirts have these less commonly; even then perhaps one could use a belt. For sportswear I don't have a good suggestion.
I notice you refer to these "better ways" yet you don't enumerate any. At least I wouldn't consider accelerometer and radio-based solutions proper alternatives to this (unless using proper latency-based distance measurement, I wonder if this truly can be implemented for less than $30). The camera solution I proposed might be realistic one, but it eats battery.
> That you have to carry such contraption around and find a place to tie it to.
If you're the type of person who uses a laptop lock, I could see something like this being a welcome enhancement. But in that case it would be most practical if it were built into the lock itself.
Me, a person with no real use for this product but still interested: "Wow this is a great idea! I'll investigate!"
Me, a clumsy person watching the video: "Oh no,"
In all seriousness though, I can see how this product could be useful to someone in very specific circumstances and is also an interesting idea.
The current app is limited to locking your screen. Future releases will include soft/hard shutdown. So, by default, your clumsiness would just mean you have to type your password to unlock your screen. Not a big compromise :)
We do have a "LUKS Header Shredder" trigger (which we call self-destruct as it renders all the data on the FDE disk useless), but we (intentionally) don't include it by default and raise the barrier of entry because of the risk of data loss.
We'll be publishing a more detailed write-up on the LUKS Header Shredder in 2 weeks. You can subscribe for updates on our website (buskill.in) or the campaign directly (crowdsupply.com)
Might be a good idea to remove "self-destruct" from the front page your marketing if it's not intended for the masses. Or at the very least, explain that it's not a default behavior. While you were able to explain that here, others will be hesitant to adopt without the context.
usbkill triggers when a device is inserted. BusKill triggers when a device is removed. It's an important difference.
I actually didn't start BusKill to sell devices. It was originally a DIY project. The problem is that after I published the article describing how to make it, the one manufacturer of USB-A magnetic breakaways EOL'd their product and it sold-out (my & Hacker New's fault). It also wasn't for sale outside the US.
This campaign is a response to people who asked me how they could build their own USB-A cable with a magnetic breakaway. Before they couldn't. Now they can.
When I designed BusKill, I intentionally avoided wireless solutions.
BusKill is designed for situations where the risk is extremely high, and you'll find that the radio-based solutions aren't very secure. They're faulty and have huge surface areas of attack.
> Using a radio-based Dead Man Switch introduces complexity, delays, and an increased vector of attack. BusKill is a simple hardware kill cord and is therefore more secure than any wireless solution.
It would be nice if it were a USB-C power brick + magsafe like attachment. That could also be a lot more discrete by shifting the hardware to the brick itself. Granted that limits you to fewer laptops.
This is very cool to see. When I discovered and subsequently purchased my framework back in October I had an idea for a homebrewed, 3D printed expansion card, where plugging it in/activating it immediately executes dban (or some other, better alternative).
Or you could always just carry an enormously strong electromagnet on you :-)
Very keen on picking one of these up purely for the novelty, price isn't too bad. Although I think the demographic who would and could actually benefit from a failsafe for having their laptop physically yanked away from them is quite small.
Maybe I'm "spoiled" because in Germany there's a need to publish an imprint on all websites that are somehow "commercial" (having ads on it would be enough), but this is highly "dubious".
No contact information (as in "who runs this?") is provided on the site. Privacy policy is not GDPR compliant (no contact information provided), no names, nothing.
This might be fine for a personal blog, but for doing business this is (at least for me) a no-go.
The above article front-paged on Hacker News, and I got a lot of people asking me how they could buy one and use it in on Windows and MacOS. Over the past year, many people have contributed in porting it to those platforms (I originally just designed it for myself, and I use Linux).
The BusKill project is not owned by me. All our work is open-source, and it's owned by the community. As such, I don't put just my name on it because it's not just my work. But if you dig around, you do see my name pop-up in a few places.
The list of contributors can be found on our documentation's "Attribution" section.
The main website is mostly just a landing page, blog, and a store so people can buy with cryptocurrencies and Tor since CrowdSupply doesn't run an Onion Service and doesn't accept crypto payments.
Not everyone who has contributed to the BusKill project is still active, but some of us are. You can find our names & photos at the bottom of the Crowd Supply campaign page:
I'm not familiar with the German rules, but GDPR Art. 14 §1 says:
> Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
> (a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
Usually, these contact details are in the privacy policy.
It's certainly unusual for a website to omit this, and in most cases I wouldn't buy from a site where it's missing. In this particular case, maybe it's less strange.
However, I still wouldn't order without knowing from where the package will be sent. Something from Estonia arrives here without any import taxes, something from outside the EU can do (the CrowdSupply site says they handle VAT), but can also attract high processing fees.
All orders are handled by CrowdSupply (via Mouser). They handle shipping, VAT, import taxes, etc.
It certainly added cost to the final product, but I figured it was more fair & transparent to everyone to set shipping to $0 internationally (I hate it when you finally make it to payment and only then learn shipping is $20 :/).
I don't think it is. Neither in B2B and especially not in B2C. Although I think the consequences would mostly be worse for the customer, not the seller.
Chapter 2 and 3 of the "BGB" contain several paragraphs which define legal rights and obligations for doing business via the internet or telephone.
§312f for example defines that customers must receive "a copy of a contractual document signed by the contracting parties in such a way that their identity is identifiable" (translated via DeepL).
A simple mail address is not an identity in German law, especially not when doing business with B2C as you always have a 14 day period to cancel your order (except for downloads and various, special products).
edit: If you want to cancel, you must be able to do so via (offline) mail, too.
Sure, they're not following the rules. Why would that affect the validity of your contract with them if you purchase good from them? Why would this contract not bind the seller?
I would. It would save me the time spotting the red flags and backing away anyway.
Though a couple of relevant regulations state this should not be done, and no site is going to send away a potential customer by saying “we don't want to follow your laws/regulations so can't do business with you” when they can instead just get away with just ignoring, or in the case of sites run from elsewhere in the world claim to have no no knowledge of, those regulations.
> no site is going to send away a potential customer by saying “we don't want to follow your laws/regulations so can't do business with you”
Many local US-based TV news/newspaper sites do this albeit with a slightly more opaque message. And customer still mostly fits because these sites are ad-supported (usually with a mix of local/non-local ads.
It's not about viewing/trying to track me, but we are talking about somebody trying to sell me something. Would you feel fine paying around 100 bucks to... well... whom?
Just a website with no contact information, no names, adresses, business registration, whatever?
As far as I can see, this could very likely be a scam of some sort, because anybody who's into doing "real", honest, business would be fine with giving his name and address.
Yes, but I’m also aware that the possibility is roughly 0% if a person is truly determined to run a dangerous scam, regardless of what regulations are put in place.
MacBooks used to have a key combination (left cmd shift option and power) that could be used to kill power instantly. In the schematics, these keyboard keys were hard wired to the SMC microcontroller's reset line, which would remove all voltage to the motherboard upon reset.
With the T2, this still exists, but you need to wait more seconds and use a 2step combination. This is a pain because you can no longer use it to do an emergency shutdown.
I guess the best way would be to auto lock the laptop if someone screams, no hardware needed and if they hold you, you can still scream to lock the laptop
This could have saved the creator of silk route. Not that I sympathize with crime, but he was unfairly accused of crimes he didn't committed like paying hitmen to kill enemies. Also, the way to operation was setup to get his laptop forcefully from him was, at the least, disrespectful. If FBI was so sure he committed any crime, they could have legally got a search warrant.
I vaguely remember there being special hard drives with an "acid release" tab for rapid physical destruction. The military being a prime consumer. For laptops, I'm thinking a Thermite kill switch would be effective.
Am I the only one to think that if someone is close enough to physically yank your computer out of your hands they are also physically close enough to beat you with a wrench if you lock the computer containing what they are after?
Same. A person I know was buying physical gold about 8 years ago in preparation for a mega economic collapse which leaves gold as king. However he himself said that he will lose in the end because someone with a gun will come and take what he's got.
What percentage of the time are you dealing with thieves versus physical assailants? The lock screen seems to be for more casual users. The shred the filesystem is for hard-core users that will get beat harder if the assailant finds evidence.
That's what the self destruct is for. If you are yanked from your laptop or vice versa the laptop will crypto shred its disk and wipe RAM. Your attackers can hit you till you die but you will not be able to reverse it.
Alternatively you can remove the laptop battery and use it with just the charging cable attached to power the device. The laptop will automatically shut off when the power cable is disconnected. Then PAM Duress [0] can be used for the xkcd538 [1] situation.
Why not have a bluetooth/wifi/customised proximity device constantly connected to your laptop (and resides in your wallet/shoes/private parts) and if you suddenly are too far away from your laptop while it's unlocked it gets purged?
If all you want is a bluetooth/wifi solution, then there's tons of "solutions" on the market for this. See our "comparison" table on CrowdSupply for some options:
When I designed BusKill, I intentionally avoided wireless solutions.
BusKill is designed for situations where the risk is extremely high, and you'll find that the radio-based solutions aren't very secure. They're faulty and have huge surface areas of attack.
I like the accelerometer idea. Hardware would be more dependable than a sequence of events that requires being able to speak and the mic to be working.
Say I'm an investigative journalist, gathering information about some bad guy embezzling all politicians that matter in a small country and doing all kinds of criminal stuff, including murders.
I'm careful. I'm using a laptop that has this kill switch. I only keep my work on this laptop, it's so sensitive.
The bad guy gets a whiff I'm digging around him. He sends armed thugs to my lair. They enter, so I pop the kill switch. "Where is the data?!", they ask me. "I don't know what you're talking about!" They beat me down, then one thug says to the other: "Hey comrade, look, maybe it's all on this laptop?" — "Let's see". The laptop doesn't boot. They turn to me: "Funny how this laptop of yours doesn't even boot, why would you have a non-working toy?" I play dumb, they train their guns on my head. "Okay, okay," I say, "the data on this laptop has self-destructed, you're not getting it, no one is getting it!" — "Really?" — "Really!" — "It's good, motherfucker," says the thug and double-taps me in the head.
You're confusing attacks. What you describe is very useful when there is not threat to your being. You just want the data gone.
However, if you are under physical threat then this is still useful because 1) you can protect witnesses and others and 2) you can make forwarding this information to remote sources part of the self-destruct.
That is, "Sorry, I no longer have the data - the laptop self-destructed. The data and my name and location have been posted to reddit publicly or sent to a list of contacts in six countries"
The point is, they want 1) you to stop and 2) to recover the data. You can bargain for your life by setting up the actions taken should this be activated.
In such a scenario, you're right that if the attacker will use physical violence against you, of course the device wouldn't save you from bodily harm.
But what about your sources? In this situation (if you actually can't remember the anonymous email address of your source), it's not your life that's being saved -- it's the identity and the life of the whistleblower.
I’m pretty sure there are rules of informational hygiene for cases like this, and they mostly grate on instincts of any geek obsessed with having all the data neatly organized, cross-referenced, and persisted.
You can add any number of security layers, but you should always presume someone might get their hands onto whatever you’re working on at the moment in cleartext and you want any damage to be minimal.
If they send assassins to your home because you know too much, OPSEC no longer matters. You're as good as dead if you don't immediately escalate to deadly force. Instead of destroying data, the computer should be uploading and publishing as much of it as possible so that whatever you're doing can't be stopped no matter what happens to you.
This has happened, it was just that no technical gizmo would have saved the guy. I cannot imagine how.
In case of a corrupt government, if they wanted to lock you up, they wouldn't strictly need any evidence at all. Having a gizmo that can potentially destroy evidence is a bonus. Otherwise, they will throw you behind the bars for 18 years for jaywalking. If you had a controversial businessman and his thugs after you, destroying the evidence only means they wouldn't have to destroy it themselves after having killed you.
In any case, if you're working on sensitive stuff and you want to pretend you're writing some innocent poetry, I don't think any kind of jamesbondian device would help you look inconspicuous.
> if you're working on sensitive stuff and you want to pretend you're writing some innocent poetry
For plausible deniability, you need a second account on the machine that has all your poetry in. Then, when the thugs (or border guards) tell you to log into your laptop, you use the other username and password and say "Feel free to read all this poetry. I'm particularly proud of the one called 'My government isn't corrupt at all'."
Also, in this scenario, you should probably store your raw information (with the names of innocents redacted) in a public cloud somewhere outside your jurisdiction, encrypted, and have a time-based dead man's switch (hosted somewhere else) which sends an email to your colleagues containing the URL and decryption key.
Yes! That was just under 2 years ago. It's the same project.
DIY is great. The problem is that after I published that article, everyone on Hacker News went and bought-out all the USB-A magnetic breakways on Amazon. And they literally never re-stocked (I found out later it was EOL from the manufacture).
The reason I launched this crowdfunding campaign was to put these USB-A magnetic breakaway cables back on the market so people could build their own again (and to sell the whole kit, to lower the barrier of entry to non-techie journalists).
I hate everything about this website. It uses all the tropes of a bad kickstarter campaign, and to sell you this item it preys on fear and misunderstanding. I absolutely do not trust that this company has my best interest at heart. It's so bad I wouldn't go near this product for any money.
The website also runs fine over Tor with javascript disabled. And I spent a lot of time modifying the theme to remove as much third party content (eg google fonts) as I could.
We don't expect blind trust, but we do try to be totally transparent to earn it.
they organized it so that he was surrounded by agents. they needed to get access to his laptop while it was open and running. This might have gotten him just enough time to disable it before they made their rush.
Looks like "security LARPers" are at it again. I'd bet 99% of buyers will self destruct their laptop themselves, by accidentally bumping into the cord.
And to think now, the same people are pushing the narrative how PGP is bad.
Hi, I'm Michael Altfield (Founder of the BusKill project). I'll take that bet because I'm pretty sure <99% of people will ever enable the self-destruct triggers :)
BusKill does not ship with destructive triggers. The current app is limited to locking your screen. Future releases will include soft/hard shutdown.
We do have a "LUKS Header Shredder" trigger (which we call self-destruct as it renders all the data on the FDE disk useless), but we (intentionally) don't include it by default and raise the barrier of entry because of the risk of data loss.
We'll be publishing a more detailed write-up on the LUKS Header Shredder in 2 weeks. You can subscribe for updates on our website (buskill.in) or the campaign directly (crowdsupply.com)
Also, while I recognize there are limits in PGP, I encourage it and actively train journalists and activists on how to use it (though I do prefer messaging solutions that make e2ee required and use PFS like Signal, Threema, Wire, etc).
Dread Pirate Roberts did have a kill switch. The FBI agents distracted him by having two pretend to be a couple fighting. He turned his head to watch. Then the other FBI agent beside him swiped his laptop. Theoretically he could have hit the kill switch before turning to gawk at a lovers quarrel, but I mean, not many have the opsec or personal discipline to do that.
That's... because it isn't? How would a dead man switch be illegal?
I mean it may, hypothetically, be used to hide illegal activities, but if you go that way you go down the slippery slope and will be advocating for weakening or backdooring encryption just in case it's used for illegal activites.
This is a perfect fit for darknet admins, being able to nuke all digital evidence when arrested has been a thing for ever. Often it works by closing the laptop.
It might also be useful for whistleblowers, although I doubt that there is any advantages over strong file and disk encryption.
User-Defined Phrase: "Please dont kill me", activates "duress" mode.
- A daemon listens in the background for a phrase of your choice. When detected, your laptop makes a sound effect that is not out of the ordinary for others to hear, but not something you would expect it to play when self destruct is activated. Git repos are committed/pushed with a duress demarcation code to an alternate branch. Your encrypted volumes are dismounted, buffers and caches cleared, camera and microphone start sending small chunks of audio/video to a destination of your choosing. Instructions for playback from your cloud of choice are emailed to emergency contacts. If you do not give the "all clear" in a user-configurable time period, the laptop does user-defined things like wiping encrypted volumes after giving an optional warning sound, optionally sending eeprom codes to brick the BIOS or replace the BIOS with a tracker and setting the screen to say "Stolen From User-Defined String, User-Defined Phone Number" after giving an optional warning sound. All of these actions could be optionally spaced apart based on risk, probably defined in a key-pair text file or json file.
User-Defined Phrase: "Computer, disable self destruct" disables "duress" mode.
- Giving the all clear code disables this behavior and your ship does not self destruct. The system plays a sound to acknowledge "all clear". Emergency contacts are emailed the all-clear, but audio/video continue to upload for user-defined time in the event your were forced to give the phrase.
Perhaps newer cars could also have this feature? Are there any existing open source projects that could be adapted/bent to accomplish these things?