Schneier on Security

Clive Robinson • January 7, 2020 9:24 AM

@ Bruce and the usuall suspects,

Clever idea, but I — and my guess is most people — would be much more likely to stand up from the table, forgetting that the cable was attached, and yanking it out. My problem with pretty much all systems like this is the likelihood of false alarms.

This was discussed in depth quite a few years ago on this blog as a form of “Deadmans switch” by primarily @Nick P and myself, along with how to build computers into safes lined with thermite.

The point raised then was that very easy very fast and reliably triggered activation was the most important thing.

Which is why the use of some kind of strap from the users wrist or belt etc was decided not to be effective as a trigger (fast dog pilling by agents would stop it for instance or bullet to the “monkey brain”). Thus a switch with a spring that had to be held closed by the operator in some way was required. Something like a foot switch was also not reliable thus a knee switch held against a table leg was to be prefered.

Which obviously raised the risk of false positives significantly.

Thus what happened after triggering would have to be a timed sequence of events that was profiled against your security requirments.

Thus the first step might be blank screen to timed password entry, if that time passed then wipe the FDE and Core RAM encryption keys securely then further time staged actions that could result in thermite packed into the case space being ignited or speciall shaped charges destroying certain chips or both etc.

Other discussions we had on this blog around that time were about removing the “what you know” asspect of authentication not just out of jurisdiction but into several jurisdictions using “secret sharing” to give all involved parties “plausable deniability”.

More recently I’ve talked about the failings of the “what you know” factor due to the limitations of the average human mind. Put simply the human mind is not realy designed to remember things like random strings with any acuracy. However there are other things the human mind is very good at such as spacial awareness. Thus expanding this into the “what you know” asspect of two or more factor authentication, that again used a timed sequence of lockout steps.

Two such additions to “what you know” were “time” and “space” that is you would have to take the device to a certain place at a certain time before any other factor such as password, token or biometric would become valid, which is a variation on the multi jurisdiction idea.

Thus any half competent Linuk Admin or system programmer having read this post, should now have sufficient information not just to make such deadmans switches way more effective but also reduce faslse positive effects and upping the security level to any level they deem appropriate including “self destruction” if required.

As some Austarlian friends would say “No worries mate, nugh said” 😉

Clive Robinson • January 7, 2020 10:28 AM

@ AlexR,

… it may have helped Ross Ulbricht (of “Silk road” fame)

Probably not on it’s own.

Don’t forget the XKCD $5 wrench,

https://www.xkcd.com/538/

Or the fact some US judges have held people on “contempt” charges untill they died (that is the judge died in one case). Often because the defendant could not prove they did not know something the judge believed otherwise,

In this case

https://abcnews.go.com/2020/story?id=8101209

He was let out because it became clear he either did not know or was never going to assist, therefore the required “coercive” asspect of the contempt holding had failed and would continue to do so.

Which is important, if you prove you don’t know and can not be coerced by imprisonment it’s game over for contempt. Thus the question falls to other matters of the legal system. In the UK for instance under RIPA there is a proscribed tarriff for not handing over the encryption (but not signing[1]) keys. Thus a defendent can either make a calculated choice or more importantly prove that they can not know what the encryption keys are as they never knew. Also that they can not access the backup of the keys because they are not held under their control and those who do have control are not in the jurisdiction so can not be compled either, further that trying to compel them would not work either due to the in built deniability of shared secret keys.

[1] Which opens up an interesting line of logic not to disimlar to that which warrant caneries raise.

Clive Robinson • January 7, 2020 10:13 PM

@ ALL,

The thing that supprises me about many of these devices is just how complicated they make them. Any *nix admin who has ever integrated a UPS system usually has all the knowledge required to implement an auto shutdown system. Early UPS’s used a switch on one of the serial port lines such as “ring detect” to take advantage of the already in built “modem capabilities” and finding info on this via a web search should be fairly easy [Linux com port ring detect] will get most admins what they need.

Although many laptops nolonger have direct serial ports any longer, the FT232 family of RS232 to USB chip devices are both numerous and very inexpensive and miniture PCBs that will plug directly into a USB port are available from many places including those that support “Raspberry Pi” or Arduino SBC or other “maker” projects.

The information in this document should give people a starting point to think on,

https://www.linux.com/news/adding-ups-desktop-linux-machine/

But don’t ask me for support…

Clive Robinson • January 8, 2020 2:34 PM

@ vas pup,

… which delivers emp to computer …

The problem with EMP especially E1 is firstly it follows what many call the low resistence path. But secondly an E1 EMP event has picosecond rise times and E field measurments in the tens of thousands of volts per meter.

Which in effect means a great deal of it’s energy is up in and beyond the microwave bands. As all conductors have both inductance and capacitance they have an effective impedence at which they behave like a transmission line in which energy is stored not disipated. The better the match between the transmission line impedence and the load the more power gets disipated by the load resistive component and the less gets reflected to be close coupled to other conductors or reradiated.

The result is you know the EMP energy is only going to go to some part of the circuit but not all, and worse you have no idea where it might go.

Thus it’s entirely possible that a chip used for data storage might have it’s bond wires melt like fuses and some of the devices in the bond out pads blow, but the actuall AND/OR or OR/AND storage array survive intact.

Thus anyone who can decap the chip and repair the bond out or probe past them could get at the data in.part or in whole.

It’s one of the reasons why certain parts of the Intelligence Community has looked at miniture shaped charges for “self destruct” They get built in the chip package, pressed up against the chip surface. So the plasma jet does melt chip features fractionally before the shock wave shatters the chip into micro fine or smaller pieces.

It’s recognised that data destruction of in chip stored data is one of the hardest things to do. Hence the reason why more modern “black boxes” have built in chip memory that can survive 100G type loads and are way more reliable than the old wire recorders. Such chips tend to be the same as those used in Flash drives for thumb drive format, however the are slightly better mounted and supported than traditional thumb drives.