338 comments

[ 3.9 ms ] story [ 296 ms ] thread
This is shockingly expensive and comically impractical to use.
$89 doesn't seem that expensive.

It's just as impractical as money belts, key chain alarms, Tiles(tm)

I mean, too impractical for me, but there is definitely a market for it.

Well, that's something you could easily do with only software and any USB device :

while { if(!monitored_device.plugged) { setComputerOnFire() } }

It must exist somewhere. And for the magnetic gimmick, any magnetic usb (which, btw, are actually pretty useful) cable from amazon would do the trick.

That is pretty much what Tails is doing: If you disconnect the USB drive with the system, it will wipe the RAM and then shut down. However the data on the USB drive isn't modified, so if you don't trust its encryption you should prepare for quick physical destruction and/or disposal.
Hi pjerem, Michael Altfield here (founder of the BusKill project).

The problem is that there are no USB-A magnetic breakaways available on Amazon. If there were, then I wouldn't have launched this campaign!

* https://buskill.in/buy

Actually, Amazon did have USB-A magnetic breakaway components before, but they went EOL and sold-out when I first published my DIY article on how to build-your-own-BusKill-cable last year.

* https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-k...

The reason I started making my own was a response to all the folks that asked me how they could get a USB-A BusKill cable since they sold-out (and they also were never available in Europe -- now they are!).

Indeed. If what I'm doing is so sensitive I need a dead-man switch (i.e. the consequences of getting caught are very high), $89 to improve my opsec is definitely worth the money.
Or your threat model is high, think journalists with protected sources.
How is Tile impractical?
I can grant expensive (though I don't know for how cheap I could make such a sellable project with free worldwide shipping, while also making profit), but what is comically impractical about this? It's not like the default functionality is to nuke the device from the orbit on disconnect.

You could make one for yourself cheaper, though, if you have the know-how.

Though a basic face detection-based screen lock could be quite more useful and cheaper, at the cost of increased battery consumption.

Only the cable by itself cost $59.00.

It's the same USB magnetic cable that you can buy in many shops for $2.

> but what is comically impractical about this?

That you have to carry such contraption around and find a place to tie it to.

If you have to spend more than $30 for a custom device you can detect if a laptop is being moved away from a table in many better ways.

> > but what is comically impractical about this?

> That you have to carry such contraption around and find a place to tie it to.

If you're the type of person who uses a laptop lock, I could see something like this being a welcome enhancement. But in that case it would be most practical if it were built into the lock itself.

Personally I have only found cables with relatively weak magnetic power. Where does one find these strong ones, in particular for prices like you mention? It doesn't seem to be a well-advertised property, so it's difficult to tell if they are actually strong ot not :/.

The $59 price still includes worldwide shipping.

> That you have to carry such contraption around and find a place to tie it to.

I mean you are already carrying a laptop, and probably a charger with cables, so carrying a magnetic cable doesn't seem a big stretch. You would put it to the same bag with your other laptop-related accesories.

It is also quite popular to wear pants with belt loops, which would seem suitable for tying this one. Granted dresses and skirts have these less commonly; even then perhaps one could use a belt. For sportswear I don't have a good suggestion.

I notice you refer to these "better ways" yet you don't enumerate any. At least I wouldn't consider accelerometer and radio-based solutions proper alternatives to this (unless using proper latency-based distance measurement, I wonder if this truly can be implemented for less than $30). The camera solution I proposed might be realistic one, but it eats battery.

Oh, so you could hopefully substitute a suitable USB C cable? (Assuming they exist)
Interesting. The site implicitly references the arrest of the Silk Road founder, using the alternative acronym "Department of Parks and Recreation". He was arrested by having his laptop literally yanked from under his fingertips in a public library.
Having a USB kill switch in this case could (would?) have escalated the arrest method to something more violent.
How would a more violent arrest have solved anything?
Instead of moving the laptop you move the user. Unless the kill switch is connected to the user or you remove the user too slowly and allow them to manually trigger the kill switch, you may gain access to the laptop.
That's a very interesting proposition that looks completely insane to my European eyes, but I can certainly understand the philosophy behind it.

So the premise is that if using kill-switches becomes common among criminals, we can expect suspects in computer crime cases to be apprehended in ways such as unexpectedly being hit in the head with blunt force trauma, gassed with anesthesics or similar violence. Seems like it would challenge some pretty central democratic principles!

The kill switch is useless if the accused is incapacitated before they could trigger it.

No knock raids, which are inherently violent, to "preserve evidence" and reduce the risk to LEO happen about 20000 times a year in the US.

(comment deleted)
> No knock raids, which are inherently violent

> reduce the risk to LEO

I remember reading news about an american who killed an officer who entered without knocking. He was not convicted, it was ruled self-defense.

20,000 no knock raids and, I think, two cases of officers being killed.
It's probably better to be beat up or tortured by a state actor than to rot in prison for the rest of your life if they get hands on proof of your culpability.

Besides the USA is not Al Qaida, there is a chance they would respect the Geneva convention: https://ccrjustice.org/home/get-involved/tools-resources/fac...

What I'm saying is that they wouldn't get a chance to use the kill switch because they would have focused on "containing" the suspect before they could activate it.
In theory, I agree. But it is somewhat akin to saying - why use strong encryption since a three letter agency can just brute force your device. If you're in that deep, maybe it won't help. But for the average reporter in a hostile zone, keeping the local police from snooping on their machine would be preferential.
We actually agree completely. This thing may be useful, and certainly something to think about if you live or travel to places where electronic devices are often snatched and, like you said, prevents casual snooping since the local police WILL have to escalate to violence.

I just don't think it's going to prevent a Silk Road incident and could make it worse for the suspect.

I disagree. I this this sounds a little too much like a TV show like 24.

The idea that you could completely immobilize someone at a public library so rapidly and without their awareness that they could not even move their arm 20 cm or so during a struggle seems ludicrous to me. Particularly as the kind of person who would buy this device would be setting themselves up with their back to the wall to prevent captures from behind.

I am fairly strong and have wrestled and grappled for over a decade, and I would not put my faith in an operation that required me (even with another agent) to completely immobilize even a weak person enough that I could guarantee they could not trigger this.

This takes a flick of a finger to trigger, or moving your arm a small distance away from the laptop.

> The idea that you could completely immobilize someone at a public library so rapidly and without their awareness that they could not even move their arm 20 cm or so during a struggle seems ludicrous to me.

Well, they did — and without even touching him.

They didn't "completely immobilize" him, though, as apparently "Ulbricht stood up sharply"[0] after his laptop was seized. However, he did make the mistake of not sitting with his back to a wall, since the agents "walked up behind" him. I guess we'll never know how he would have reacted if they had instead walked up in front of him and tried to grab his arms.

[0] https://www.businessinsider.com/ross-ulbricht-will-be-senten...

I think you have way too much faith in the reasonableness of law enforcement. There are 20K no-knock raids in the US every year, a significant percentage at the wrong address or clearly innocent people.
Did you reply to the wrong comment?

This device is indeed clearly designed for a no-knock raid situation, or other surprise grab.

I'm simply saying that, if you're attached to your laptop by a 50cm cable, which of you separate your arm further than that from will lock your computer, it will be very difficult for the agents to guarantee you won't be able to lock your computer.

If your kill switch manages to destroy evidence, that's generally obvious and has two consequences.

First, intentionally hiding or destroying evidence of a crime is itself a crime (self-incrimination is restricted only to verbal statements) of which you can be convicted even if you're not guilty of the original accusation;

Second, destroying evidence in this manner enables the legal concept of 'adverse inference' where essentially the judge can require the jury to assume that the destroyed evidence did contain whatever prosecution wanted to find there, and convict you based on that.

Yep, I think so too, it wouldn't have protected him. Whoever was in charge of the operation would've noticed and identified this killswitch, and prepared appropriately. The suspect would be incapacitated as a matter of priority to prevent him from activating it.
Honestly, that sounds a little too "CSI". If the lanyard is attached to a wrist, the chance that someone could be suddenly incapacitated in such a way to avoid a jerky movement that breaks the connection is pretty small. "Knock them unconscious" is a TV trope.
What about "pin his hands to the table" while the nerds exfiltrate the data?
Maybe there needs to be an accompanying/alternative device which can be worn in a shoe and detects toe movements. It would probably have to be wireless, which would introduce false positives or false negatives, (and part of it may need to be attached to the user's ankle, due to size constraints), but it would at least defend against an attacker who could physically restrain the user.
But if you even notice the (thin, dark?) bit of cord between a guy's wrist and laptop computer when he's working on it at a table in the library, wouldn't your first assumption be that he's a bit paranoid about having it stolen and therefore has strapped it to himself by the Kensington Lock slot? So you'd be quite OK with stretching it as far as it goes -- only noticing later that in this case you could "stretch" it beyond that, popping out the USB connector. (Actually, wouldn't a lot of people in a position to do this be only too happy to give it an extra forceful yank, just to hurt the Eevul Hacker?)
Why? Was he a violent criminal?
What does "violent criminal" have to do with it? The US (and other jurisdictions ) use extreme, violent arrest methods like no knock raids for all sorts of non violent offences.
I can definitely see policy to tase or otherwise subdue with less than lethal means being OK'ed by authorities and judiciaries. In principle you'd hope this was rigorously established beforehand on per case basis but that historically has not been held to standard long if they end up doing it with any frequency.

This is getting into the security question of what your threat model is. If you're seriously expecting a nation-state intelligence agency to be after your laptop, I'd really, really recommend not having anything on your laptop because unless you've got your own security team they're going to find some way to get it and will observe you to see if you're using something like a killswitch first.

The idea is interesting, but the current form factor seems to be cumbersome. The cord can be easily disconnected by mistake.

It would be nice to have a BT dongle that could react to the distance to the owner and to being unplugged.

Until something interferes with the bluetooth signal.
Literally an FAQ on the homepage.

> But bluetooth...

> Using a radio-based Dead Man Switch introduces complexity, delays, and an increased vector of attack. BusKill is a simple hardware kill cord and is therefore more secure than any wireless solution.

It would be nice if it were a USB-C power brick + magsafe like attachment. That could also be a lot more discrete by shifting the hardware to the brick itself. Granted that limits you to fewer laptops.
If all you want is a BT dongle, then there's tons of "solutions" on the market for this. See our "comparison" table on CrowdSupply for some options:

* https://www.crowdsupply.com/alt-shift/buskill

When I designed BusKill, I intentionally avoided wireless solutions.

BusKill is designed for situations where the risk is extremely high, and you'll find that the radio-based solutions aren't very secure. They're faulty and have huge surface areas of attack.

For the Yubikey owners out there, a while back I wrote a blog post on how to achieve a similar setup using a Yubikey [1]. All it requires is a lanyard to attach the yubikey to.

[1]: https://tbabej.com/Yubikey-secure-session-setup/

Anyone needing a Yubikey would be very lucky to see them just hanging out of a computer, would just a bonus for the evil actor to also ruin your day and pull it out.
Or you could attach the Yubikey to your belt (with a clip) and connect it to the laptop with a USB cable. Then all they could steal is a useless laptop and a cheap cable.
The way I've implemented this is that the yubikey is on an extensible lanyard which is almost always around my neck. So while an evil actor could definitely unplug it to ruin my day, stealing it would be a tad bit more difficult :)

In any case, the primary idea here was not to prevent stealing the laptop, but to prevent walking away from the laptop without locking it.

Won’t do much against my $5 pair of scissors!
Once you’ve lost your yubikey, you have to reboot as root then?

Is it possible to register 2 keys, so that any of them is correctly recognised?

I guess the best way would be to auto lock the laptop if someone screams, no hardware needed and if they hold you, you can still scream to lock the laptop
Just remember to whitelist the Wilhelm scream, otherwise you'll get a lot of false positives from any TV in the room.
This comment takes me back to when I didn’t have kids.
But what if you have no mouth?
I feel I would somehow forget its there a lose all my data within the week...
Yeah, setting it to destroy your data when removed isn't advisable outside of some very controlled settings.
Not to mention, USB drives fail.
Feel like this something similar can be accomplished for Macs using AirTags/Apple Watch proximity to do specific actions via Shortcuts App, instead of just locking/erasing remotely using 'Find My'.
Isn't that already a thing? IIRC you can configure your Mac to unlock if your Watch is in close proximity, so it should be possible to do the opposite when it goes out of range.
Probably something the Shortcuts app could do, I couldn't find a Watch specific entry when creating one though. So it's just lock/unlock for now.
I seem to remember Windows 10 has a similar feature. You can pair your phone with it, and it supposedly locks automatically when the phone goes away. I've never seen it work, though...
macOS Monterey added a "Erase All Content and Settings" feature that works like the iOS versions by deleting the encryption key, although as a result the feature only works on T2 and M1 Macs which encrypt the data at rest even without FileVault.

It wouldn't surprise me if Apple imports more emergency wipe features into macOS from iOS.

Maybe I'm "spoiled" because in Germany there's a need to publish an imprint on all websites that are somehow "commercial" (having ads on it would be enough), but this is highly "dubious".

No contact information (as in "who runs this?") is provided on the site. Privacy policy is not GDPR compliant (no contact information provided), no names, nothing.

This might be fine for a personal blog, but for doing business this is (at least for me) a no-go.

Would you be happier if the site prevented you from viewing it?
I would. It would save me the time spotting the red flags and backing away anyway.

Though a couple of relevant regulations state this should not be done, and no site is going to send away a potential customer by saying “we don't want to follow your laws/regulations so can't do business with you” when they can instead just get away with just ignoring, or in the case of sites run from elsewhere in the world claim to have no no knowledge of, those regulations.

> no site is going to send away a potential customer by saying “we don't want to follow your laws/regulations so can't do business with you”

Many local US-based TV news/newspaper sites do this albeit with a slightly more opaque message. And customer still mostly fits because these sites are ad-supported (usually with a mix of local/non-local ads.

It's not about viewing/trying to track me, but we are talking about somebody trying to sell me something. Would you feel fine paying around 100 bucks to... well... whom?

Just a website with no contact information, no names, adresses, business registration, whatever?

As far as I can see, this could very likely be a scam of some sort, because anybody who's into doing "real", honest, business would be fine with giving his name and address.

> Would you feel fine paying around 100 bucks to... well... whom?

I’d feel fine deciding if I feel fine.

That’s also why I have a credit card. I can get scammed and not be out $100.

Ok, so you get the item and it explodes in your face. Whom do you sue?
Probably nobody!
And you don't think there should at least be some possibility to hold someone liable in case something goes _terribly_ wrong?
Yes, but I’m also aware that the possibility is roughly 0% if a person is truly determined to run a dangerous scam, regardless of what regulations are put in place.
Yes, we are spoiled.

I'm not sure it's even possible to have a valid contract with an unknown party...

"Operator of buskill.in" does not seem like an unknown party?
It is. What's the postal address of the "operator of buskill.in" so I can file claims with him?
info@buskill.in
You seem to misunderstand what a postal address is.

The provided information on this website is not enough to do legally binding business (at least in some parts of Europe, it's not only Germany).

In Germany you can enter into a verbal contract without any exchange of personal details. Why would a website be treated differently? I'm curious.

As far as I understand German law is very flexible about what constitutes a valid legally binding contract.

Chapter 2 and 3 of the "BGB" contain several paragraphs which define legal rights and obligations for doing business via the internet or telephone.

§312f for example defines that customers must receive "a copy of a contractual document signed by the contracting parties in such a way that their identity is identifiable" (translated via DeepL).

A simple mail address is not an identity in German law, especially not when doing business with B2C as you always have a 14 day period to cancel your order (except for downloads and various, special products).

edit: If you want to cancel, you must be able to do so via (offline) mail, too.

Sure, they're not following the rules. Why would that affect the validity of your contract with them if you purchase good from them? Why would this contract not bind the seller?
I don't think it is. Neither in B2B and especially not in B2C. Although I think the consequences would mostly be worse for the customer, not the seller.
If they wanted to be dubious, they could've put up some fake/stolen information.

Then you wouldn't question it, which just makes the whole thing rather useless.

I always found it funny how people trust Stiftung Warentest. It's the German equivalent to "Which?", but at least Brits know they're full of shit.

Hi martin_a, I'm Michael Altfield. I started the BusKill project in January 2020 with the following article on my blog:

* https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-k...

The above article front-paged on Hacker News, and I got a lot of people asking me how they could buy one and use it in on Windows and MacOS. Over the past year, many people have contributed in porting it to those platforms (I originally just designed it for myself, and I use Linux).

The BusKill project is not owned by me. All our work is open-source, and it's owned by the community. As such, I don't put just my name on it because it's not just my work. But if you dig around, you do see my name pop-up in a few places.

The list of contributors can be found on our documentation's "Attribution" section.

* https://docs.buskill.in/buskill-app/en/stable/attribution.ht...

The main website is mostly just a landing page, blog, and a store so people can buy with cryptocurrencies and Tor since CrowdSupply doesn't run an Onion Service and doesn't accept crypto payments.

Not everyone who has contributed to the BusKill project is still active, but some of us are. You can find our names & photos at the bottom of the Crowd Supply campaign page:

* https://www.crowdsupply.com/alt-shift/buskill

Contact information is provided on the website. There's a link to it in the Footer* and on the GitHub page. Not sure how I can make that more clear:

* https://www.buskill.in/contact/

I'm not familiar with the German rules, but GDPR Art. 14 §1 says:

> Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

> (a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

Usually, these contact details are in the privacy policy.

It's certainly unusual for a website to omit this, and in most cases I wouldn't buy from a site where it's missing. In this particular case, maybe it's less strange.

However, I still wouldn't order without knowing from where the package will be sent. Something from Estonia arrives here without any import taxes, something from outside the EU can do (the CrowdSupply site says they handle VAT), but can also attract high processing fees.

https://gdpr-info.eu/art-13-gdpr/

(Note I'm not interested in buying a BusKill; I'm just procrastinating.)

All orders are handled by CrowdSupply (via Mouser). They handle shipping, VAT, import taxes, etc.

It certainly added cost to the final product, but I figured it was more fair & transparent to everyone to set shipping to $0 internationally (I hate it when you finally make it to payment and only then learn shipping is $20 :/).

> Buy with Monero

I bet they'd go crazy if someone accused them of this being designed for illegal activities

That's... because it isn't? How would a dead man switch be illegal?

I mean it may, hypothetically, be used to hide illegal activities, but if you go that way you go down the slippery slope and will be advocating for weakening or backdooring encryption just in case it's used for illegal activites.

This is a perfect fit for darknet admins, being able to nuke all digital evidence when arrested has been a thing for ever. Often it works by closing the laptop.

It might also be useful for whistleblowers, although I doubt that there is any advantages over strong file and disk encryption.

It doesn't seem, to me, to be designed for illegal activities any more than, say, a car is. People commit crimes with those every day.
I remember seeing something likes this as a do it yourself a while back on hacker news.
Yes! That was just under 2 years ago. It's the same project.

DIY is great. The problem is that after I published that article, everyone on Hacker News went and bought-out all the USB-A magnetic breakways on Amazon. And they literally never re-stocked (I found out later it was EOL from the manufacture).

The reason I launched this crowdfunding campaign was to put these USB-A magnetic breakaway cables back on the market so people could build their own again (and to sell the whole kit, to lower the barrier of entry to non-techie journalists).

* https://buskill.in/buy

Why not use an accelerometer IC? Then you don't need the cord.

Another idea is to use voice recognition.

I like the accelerometer idea. Hardware would be more dependable than a sequence of events that requires being able to speak and the mic to be working.
That's not helping if the person is yanked from the laptop instead of the other way round.
Might have protected Ross Ulbricht, but he’s an edge case. Anyone had their laptop yanked away while using it?
I thought standard practice was to run no battery, AC adapter only mode.
They will hit the outlet and bring the AC with them, without bumping voltage.
What kind of equipment does one use to do this?
I'm sure a power-supply-person with more knowledge can expand, but essentially a USP brick with cabling.

They will bridge the outlet, and take the outlet, AC adapter, and everything connected, without the AC adapter even reading a voltage drop.

It's a specialized tool, but basically the plug get pulled out slightly (which isn't enough to disconnect power in the US), and then the tool goes over the line and neutral pins, which supplies power from what is basically an UPS. After that, the entire plug can be pulled and capped (because you've got 120V across the exposed end of a plug now).

Probably wouldn't work the same in Euro countries which have other plug types.

Even easier: just pull the wall plate out, then hook up the UPS behind it with couple of tap splices.
I think would work only if the user wasn't at the keys. Plus if the adversary has full access to the hardware then what are they doing under my library table!
This was my immediate thought as well. Oh Ross, if only you closed that damn laptop lid (and didn't incriminate yourself blatantly on stack overflow)
Actually we know it wouldn't.

The agents arresting him did in such a way that they prevented him from touching his laptop (by creating a diversion), because they were feared that such a protection might exist.

If done properly the agents grabbing his laptop/snatching it away from him would have severed the power connection to the battery-remove laptop locking it permanently.
>If done properly

The man was running a multi-million dollar drug marketplace in a public library.

What was the logic behind that? So he couldn’t be traced back to his house?
There was no logic.

A public library is even worse for that purpose, because of security cameras and witnesses.

> The agents arresting him did in such a way that they prevented him from touching his laptop (by creating a diversion), because they were feared that such a protection might exist.

But that's literally the scenario this physical-separation killswitch was designed for.

He wouldn't have had to touch his laptop to trigger this. Quite the opposite.

You must be talking about a different device, because the one shown on this site only triggers if you carelessly move the laptop.

It has no remote part, it doesn't matter how far the user is.

If you're thinking about attaching the trigger to your hand with a lanyard, the agents could easily hold your hand in place, cut the lanyard, ...

I don't understand why people always assume the FBI is brain-dead and could not use countermeasures against devices such as this if they become wide spread.

You must have missed part of the description where they said the kill switch should be attached to the user's body.

If the user is attached to the switch and moves more than 50 cm or so from their laptop, the switch is triggered.

There are mentions in this thread about false positives, risk of data loss, others. This made me think of Star Trek's use of a self destruct phrase. Obviously their method is too slow, but you could have a "duress" phrase and a "all clear" phrase.

User-Defined Phrase: "Please dont kill me", activates "duress" mode.

- A daemon listens in the background for a phrase of your choice. When detected, your laptop makes a sound effect that is not out of the ordinary for others to hear, but not something you would expect it to play when self destruct is activated. Git repos are committed/pushed with a duress demarcation code to an alternate branch. Your encrypted volumes are dismounted, buffers and caches cleared, camera and microphone start sending small chunks of audio/video to a destination of your choosing. Instructions for playback from your cloud of choice are emailed to emergency contacts. If you do not give the "all clear" in a user-configurable time period, the laptop does user-defined things like wiping encrypted volumes after giving an optional warning sound, optionally sending eeprom codes to brick the BIOS or replace the BIOS with a tracker and setting the screen to say "Stolen From User-Defined String, User-Defined Phone Number" after giving an optional warning sound. All of these actions could be optionally spaced apart based on risk, probably defined in a key-pair text file or json file.

User-Defined Phrase: "Computer, disable self destruct" disables "duress" mode.

- Giving the all clear code disables this behavior and your ship does not self destruct. The system plays a sound to acknowledge "all clear". Emergency contacts are emailed the all-clear, but audio/video continue to upload for user-defined time in the event your were forced to give the phrase.

Perhaps newer cars could also have this feature? Are there any existing open source projects that could be adapted/bent to accomplish these things?

I always thought that a lock screen with two passwords would be an interesting idea. Say the BusKill locks your system and sends a request to a server. If you don't enter the correct password to abort the script within a few seconds, it will run on your server, which sends a distress mail/call to emergency contacts, revoke all ssh keys/passwords etc.

If however the distress password gets entered, the script still runs, but the system unlocks into a virtual pc or another account which is not suspicious.

Truecrypt had this exact function - one password would decrypt your drive sort of on one end, and start the OS there, another password would decrypt the drive on the other end, and start the OS installed there - so you always had perfectly plausible deniability, since the drive taken as a whole looked like a completely normal encrypted drive(in fact you could accidentally destroy the hidden partition by overwriting "empty" area while booted into the non-secret OS). Always thought that was super cool.
The only problem is this is sort of obvious from a forensics perspective. Person is using truecrypt, they boot it up for you, and the partition is only half the size it should be.
Your parent seems to point out that's not how it works: you've got access to the ful partition either way, meaning you can accidentally overwrite the other partition.
If I remember right, the hidden partitions are indistinguishable from random data on your disk and it was necessary to provide an offset to the first block (or whatever) so it could be decrypted. You could easily overwrite it accidentally because it just looks like free space.
No, like the other reply pointed out too - it's not obvious. The first password unlocks the entire partition, the hidden one is just within the "empty" area of the drive. If you write a sufficiently large file while running the OS you could just overwrite and destroy the hidden partition without knowing that you did so. It's also impossible to tell that the hidden parition is there because encrypted data is indistinguishable from encrypted empty area of the drive.
Since Truecrypt bailed without explanation, do you know if Veracrypt also has this feature?
It does. Veracrypt is basically Truecrypt with some new features as far as I've been able to tell.
After TC killed the project (for all intents and purposes) is there the ssme level of trust in VC?
The question always was what kind of attack are you trying to guard yourself against. I imagine top level agencies have a way to crack truecrypt/veracrypt encrypted volumes, but I also imagine they aren't using that capability against just anyone to not show their hand and risk the issue being fixed.
> perfectly plausible deniability

The paranoid dystopian counterpart is that you cannot prove you don't have a second partition either. Might get awkward if someone decided to compel the second password on less solid evidence. If you're not actually using the feature.

this is why you should actually have "signs of life" and something _slightly_ illegal on your plausible deniability partition. Just enough dirt to get you into trouble, but not too much trouble. If you're squeeky clean, you get the rubber hose cryptography treatment.
If you want those signs of life to be convincing, it should include all kinds of history without long gaps, such as:

- email, including recently received and sent emails

- web browser history

- system logs

- software updates

In practice, I think it’s impossible to do that. If the police discovers, for example, that your system logs show your machine was off for a week, but they also just saw you reset it, what do you tell them?

>>but they also just saw you reset it, what do you tell them?

That you're not a computer expert and have no idea why your computer wasn't keeping logs correctly?

not an expert, yet you set up an encrypted partition?
Yeah, there was a tutorial online. Thought it was a good idea in case my laptop got stolen. Don't need to be an expert to click through an automated wizard, do I?
"rubberhose him just to be sure"
this is a real problem, yes; i find encrypted volume in swap partition actually provides better plausible deniability. "I was told it should be 2x the size of RAM," - says a guy with 512G of ram and swapoff.
Ah, the magical porn partition.

Level of kink up to you.

There was a case here in Germany where the police report revealed that they apparently spent a lot of time looking for evidence of a hidden partition/encrypted data etc because a PC owned by single man with zero evidence of porn was unusual. (but didn't find anything in the end, and didn't claim anything they didn't have evidence for)
Have I got a PAM module for you: https://github.com/nuvious/pam-duress
The problem is, if they are serious and suspect you might be prepared and technical savvy, they will never allow you to operate the device.
Yep. Pretty much all nerd solutions to physical or legal threats are genius but also worse than useless. Here's a $5 hammer, hit him with it until he gives us what we're looking for, so goes the comic I saw once.
That’s why it needs to be destructive. You can’t beat access to something out of someone if it has been deleted.
While true, they may beat you anyway just to be sure.
Big opportunity to implement a kill-switch if the microphone recognizes your screams!
> Here's a $5 hammer, hit him with it until he gives us what we're looking for, so goes the comic I saw once.

You are probably thinking of the $5 wrench in https://xkcd.com/538/

That's referred to as rubber hose cryptography.
That's also why Assange (and others) developed the Rubberhose file system[0].

It's based on the game theoretic idea that if your adversary has no way of knowing how many hidden partitions you have, then you have no way of proving to them that you've given them all your secrets.

As such, there is no benefit to you revealing any secrets under torture, because the torture would continue even after you've told them everything, therefore there is no point to them torturing you in the first place.

[0] https://en.wikipedia.org/wiki/Rubberhose_%28file_system%29

"JOB OPPORTUNITY: Assassins and mercenaries required. Must be proficient in game theory".

In reality they will torture you until you stop decrypting partitions, and then a bit more of special torture, just in case.

If they don't understand game theory, that just means they will act sub-optimally. In any case, the correct strategy for the user is still to not decrypt any partitions, since, as you say, the sooner the user stops decrypting, the sooner the torturers give up.
I don't think either of has met someone who engages in actual torture, but I imagine they rarely, if ever, “give up”.
A state liable to torture you may simply kill you instead. Or torture you and kill you, even if it serves no particular purpose.

If you're in the business of protecting your secrets against torture then you need to also be protecting them against death because that is grimly inevitable.

"I don't think they wanted me to say anything. It was just their way of having a bit of fun, the swines."
That seems like a pretty foolish assumption to make of your adversaries/captors.

If a torturer has good reason to believe you have valuable information regarding subject X, they'll simply torture you until they possess that information or you die. If you don't possess the information, you're screwed. If you do possess the information, it's likely that they'll stop after they get what they're after.

That's not really making the case for clever crypto solutions. Assange is rotting in prison and is probably going to die in the US in the near future. What secret information could he be protecting at this point?
This is effective against legal threats. I remember at least one case in my country where one person was saved by truecrypt. They even asked the FBI for help on decrypting it.

Hopefully civilization is not so far gone that police will imprison, torture or kill for failing to incriminate themselves. If it gets to the point cold-blooded torture is on the table, you'll probably get killed anyway.

Disclaimer: I know next to nothing about OS'es and login and so on.

I had an idea once, would it be possible to set up two sets of passwords? One to properly unlock your device, and one to trigger either encryption or scrambling of the data when entered?

Of course, this is a kill switch, but that's usually detectable if the attacker is sophisticated enough. Plus, they can always backup the disk before.

Plausible deniability lets you pretend you do not have incriminating data, but it's tricky to use in the first place: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyA...

Travelling with an empty disk seems like a more appropriate option. Dm-verity could probably be used to check that there has been no tampering.

Of course, but this won’t be easy with commodity hardware. Standard practice is to use write-blockers to prevent this kind of tricks, but of course you can prevent write-blockers by integrating your storage.

I think you could get a pixel phone to do this in a useful way.

BusKill does not ship with destructive triggers. The current app is limited to locking your screen. Future releases will include soft/hard shutdown.

We do have a "LUKS Header Shredder" trigger (which we call self-destruct as it renders all the data on the FDE disk useless), but we (intentionally) don't include it by default and raise the barrier of entry because of the risk of data loss.

We'll be publishing a more detailed write-up on the LUKS Header Shredder in 2 weeks. You can subscribe for updates on our website (buskill.in) or the campaign directly (crowdsupply.com)

Does it support destroying keys in hardware tokens? Would be nice if plugging my yubikey into a specific USB port automatically destroyed all keys inside it.
You really want such devices - i.e. Devices with duress modes - to act normally, as much as possible when in those modes. If they clearly destroy themselves immediately you often place yourself in much greater danger. If anything log them into a sandbox or honeypot that is, as much as possible, indistinguishable from your normal environment but is less damaging for you for them to access.
how would you account for :poker face: "please don't kill me" vs :in a stranglehold, bleeding internally from multiple stab wounds: "PLAYS DON--"
I think at that point your laptop is the least of your concerns. I don't let people get that close.

As a side note, Emerson Knives makes a really nice highly durable set of pocket knives with a "wave" that forces the knife open when you extract it from your pocket. It's many times faster than a switch-blade but legal in most states and durable enough blade and handle to pry anything apart. Check with the laws in your state.

Yeah, any kid can then boot it from that same USB port with another USB with OS on it, then format it and sell it.
Am I the only one to think that if someone is close enough to physically yank your computer out of your hands they are also physically close enough to beat you with a wrench if you lock the computer containing what they are after?

https://xkcd.com/538/

This xkcd is exactly what came to mind when reading the "Who benefits from BusKill" section.
Probably most of the time but maybe not when the adversery wants to be covert.
Same. A person I know was buying physical gold about 8 years ago in preparation for a mega economic collapse which leaves gold as king. However he himself said that he will lose in the end because someone with a gun will come and take what he's got.
That's what the self destruct is for. If you are yanked from your laptop or vice versa the laptop will crypto shred its disk and wipe RAM. Your attackers can hit you till you die but you will not be able to reverse it.
What percentage of the time are you dealing with thieves versus physical assailants? The lock screen seems to be for more casual users. The shred the filesystem is for hard-core users that will get beat harder if the assailant finds evidence.
Or, maybe just add back the Kensington Security Slot and attach the laptop to yourself/desk with a strong wire and not have your laptop yanked in the first place.

I understand the first part of my idea is dead in the water, we hardly get additional ports, let alone a slot hardly anyone will use. But I would like to see a way to retrofit a KSS on a laptop.

Locking your laptop to a table in a cafe doesn't seem like something most folks would do. Working in a cafe was the use case I imagined when I saw this.
The point is to lock your laptop when the government is coming to bust you. This device would have kept Ross Ulbricht out of jail.
>This device would have kept Ross Ulbricht out of jail.

This device would had made a difference in the initial library-swipe confrontation, but would had definitely not kept Ross out of jail by any means (even that day)

Oh he certainly would have been arrested (jail), but he would have avoided prison (conviction).
He would of avoided jail (that day, the agent would have noticed the bump-kill-switch and averted recon)

He would had always of went to prison, even if they didn't get his HDD unencrypted. He used his personal email to promote his Mycology website, had the Obama administration to contend with, and was the first to sail westward.

Free Ross (The Department of Parks and Recreation)

It would be interesting if you could combine the two ideas. Physically secure the laptop to the table, but also lock / shut down / wipe the drive in the event that someone cuts through the wire.
>Or, maybe just add back the Kensington Security Slot and attach the laptop to yourself/desk with a strong wire and not have your laptop yanked in the first place.

They could still yank you. It would pretty hard for you to execute the self destruct sequence after the undercover fbi agent knocked you over from your chair.

You could tether the kill cord to your belt loop.
Yeah I still don't get this. I hate that I can't secure a Macbook. But pretty much every cheap laptop comes with a kensington lock hole.

Sure it is not _super_ secure but being able to leave my laptop for 1 minute in a public place is nice. Instead I have to put the macbook in my backpack and take it with me.

  BusKill can trigger your laptop to lock, shutdown, or self-destruct if it's physically separated from you.
I understand lock and shutdown but self-destruct? Really? Your laptop/data is one bump away from destroying itself?
Reminds me of a coworker who had their iPhone set to "wipe after 10 bad pins". Took about 2 days before their 5 year old happily typed the wrong pin 10 times and wiped it.
My old job had wipe after 3 (or maybe it was 5) bad pins within N minutes as the required security setting for company phones. The thing I learnt from it is that wiping your phone actually isn't that big a deal and if you've set it up right you can pretty quickly be back up and running.
I'm getting closer and closer to this reality... iphones are basically there, with icloud backup. Have been trying to get less attached to any OS installs, and be fast at building up from a fresh install. Seems hard to even trust your own desktop after a while.
Is this convenience worth sending unencrypted backups of your data to Apple?

Do they allow truly offline backup and restore?

For most people, yeah it's worth it. Afaik, yeah they do allow fully offline backup/restore, you don't need to use iCloud for that.

I switched away to an Android, so this isn't something I'm taking advantage of personally.

> Is this convenience worth sending unencrypted backups of your data to Apple?

iCloud Backups are not "unencrypted backups"

https://support.apple.com/en-us/HT202303

I do wish they would bump the backups to "end-to-end encryption" category though, at least as an option.

For most people, availability is the key part of security instead of confidentiality, since for them losing their data is both much more likely and much more painful than someone getting a warrant to take their data from Apple.
The stress I had on 3rd attempt just to discover it is actually 5 attempts... Kind of helps being more conscious about having backup of everything regularly
There should be an exponentially increasing delay for such a system, so that the phone would make you wait hours (or days) before letting you make your 10th guess. That would require the 5 year old to not get bored of the useless phone, and the owner to not find the phone (and enter the correct code) for those days too.

Also, it would make sense to include a simple proof-of-intentionality system, like the old Nokia keypad unlock feature to prevent pocket dials. The phone could prompt you to type a displayed 4 digit code before typing your actual PIN attempt, for example.

There is an increasing delay on iPhones. After 6 attempt it stops accepting input for 5 minutes. It gets longer each time after that.
Blackberry required you to enter the word "Blackberry" after the fifth try, which would at least prevent butt-dialing from wiping the device. Some kids might figure that out too, but at that point I suppose you had the choice to use a condom and decided not to...
Here a story. I got BB RIM 850 when I was 15ish years old, it was my first communication pre-smartphone device. I stupidly set up to wipe my blackberry if input incorrectly after a few times, and I did this within minutes of first time using it. You can imagine what happened in the next 10 minutes... Yes, I forgot my complicated password and it got wiped. And that rendered my brand-new RIM 850 useless. So, I have to wait 10 days to get a new one.
Useless? Perhaps the functionality changed later; when I used one, entering the password wrong 10 times was the easiest way to factory-reset the device prior to handing it to a new owner. It wasn't useless, just palimpsest.
There are any number of ways to do this, but one is a LUKS encrypted file system and "self destruct" is wiping out the LUKS header and halting. Only the backup of the LUKS header (not with you at the time!) will restore the data.
Yeah, I have that on my servers in case somebody tries to hack them. There is a secret to logging to my machines and if you miss it the machine self destructs in a reversible way. Can't give more information but it is pretty easy to boot it again.

One thing of note here, don't put LUKS header on any kind of flash (like SSD) or SMR HDD.

>One thing of note here, don't put LUKS header on any kind of flash (like SSD) or SMR HDD.

Why not?

SSDs and drive-managed SMR HDDs do not immediately delete the data.

If the system is interrupted after data is deleted there is a good chance you can still get it back.

On a normal HDD you still have to wipe the data (ie. physically overwrite it half a dozen times). But this is not possible to execute reliably on SSD or drive-managed SMR HDD.

You can reset the SSD's internal encryption key via hdparm, too, once you're done "deleting" luks header. It takes somewhat longer time, but if the SSD firmware is not completely stupid, it will be the equivalent of deleting the LUKS header and running TRIM on the whole device afterwards.
> self destructs in a reversible way

Reversibility is not a feature of destruction, lexically-speaking. A better description might be "locked".

More importantly in this case: if you are able to reverse it, you can be compelled to reverse it. This is no different than having a secret passphrase.

> if you are able to reverse it, you can be compelled to reverse it.

An interesting way of strengthening such a system is to split the recovery code between multiple people in multiple jurisdictions. Convincing them to hand over their piece of the key could require various levels of proof-of-free-will, ranging from "Hey, I need those numbers on that piece of paper I gave you" (asked on a video call, in a public park) to "I've booked a flight and I'll meet you at the agreed place next Monday at the standard time".

These approaches can be combined with a protocol of "If I use the duress phrase, then give me a fake key and then send a message to the other members of the group / the public / the media that I've been compromised". Of course this sort of system assumes you are part of a wider organisation or at least have friends you can trust to implement all this opsec securely, without adding to your risk profile, but for some people this will be viable.

This is exactly what we do with the "LUKS Header Shredder" script in BusKill. First we lock the screen. Then we use the built-in `luksErase` command to destroy the data in the key slots, then we overwrite the whole header area. Then hard-shutdown.

This script itself was actually an easter-egg in the explainer video at 50 seconds :P

* https://youtu.be/S3LtLyuaBvI?t=46

We're just finishing a very detailed write-up on the "LUKS Header Shredder," and we'll be publishing it in ~2 weeks. You can subscribe to our newsletter on our website (buskill.in) or crowdsupply.com for updates :)

Presumably the people who opt into the self-destruct option are more concerned with the possibility that they might need to self-destruct and not be able to than of possibility of false alarms.

If you've already planned for the possibility of self-destruct, a laptop can be a very transient device. Maybe the only important thing on the laptop is your bitcoin wallet key, but you also have a physical copy stashed in a lockbox somewhere. Maybe you're only using the laptop for its browser, and you've memorized all the passwords you need to enter.

Someone snatching the laptop might be doing so to grab the one keyphrase that you logged in with. The actual device is unimportant to you, then.

Hi, Michael Altfield here (founder of the BusKill project).

As described on the crowdsupply page, the cross-platform GUI app (as opposed to the udev rule for which BusKill was originally designed) currently only has the "lock screen" trigger. In the future, we'll add a "shutdown" trigger.

While we have developed a "LUKS Header Shredder" trigger (what we call "self-destruct" trigger -- as it renders your FDE disk's data permanently inaccessible), we will never ship that directly with the app by default.

There's definitely a use-case for it, but most people probably don't want it. For those that do, we're publishing a guide on how to use the "LUKS Header Shredder" script (tested on Ubuntu and QubesOS) in 2 weeks. For updates, you can subscribe to the website's RSS feed, our website's newsletter (buskill.in), or the crowdsupply.com newsletter.

I thought the self-destruct wouldn't run a script, but would actually be a physical attack on the laptop like the usb-killer v2 from a few years back.
This is very cool to see. When I discovered and subsequently purchased my framework back in October I had an idea for a homebrewed, 3D printed expansion card, where plugging it in/activating it immediately executes dban (or some other, better alternative).

Or you could always just carry an enormously strong electromagnet on you :-)

Very keen on picking one of these up purely for the novelty, price isn't too bad. Although I think the demographic who would and could actually benefit from a failsafe for having their laptop physically yanked away from them is quite small.

Our target demographic is mostly journalists.

Keep an eye on the number of journalists who are murdered in oppressive regimes. It's very sad :'(

* https://rsf.org/en/ranking

Good to have if you run a dark net marketplace or a political disident ring from public libraries.

An additional refinement is to autolock the device if a certain personal key combo (ex. Shit - vol up - vol down) is not pressed every few minutes in response to an audible click. If not unlocked in a minute or so with a complex password, the device halts to a disk encrypted state and unpowered ram, minimizing the window attackers have to recover RAM state.

The combo solution is not good enough, especially if you are in public.

If you can be observed to use the combo (which you would have to be using regularly) somebody else could be pressing the combo or they could insert USB device that can generate the combo regularly.

I would also add that locking your laptop is not safe enough if you are serious about this. There are devices that can exfiltrate information from what I understand almost every operating system through USB.

> There are devices that can exfiltrate information from what I understand almost every operating system through USB.

If that is true, then it is a vulnerability. You should file bug reports.

How will you prevent a USB device to present itself as both a keyboard and mass storage and then type commands that copy data?
Keyboard and mouse plugged in after the system boots should only become effective after user permission is given using previously available devices.

For more safety: any plugged usb device should lock your screen so that a password is required before it can be used.

With QubesOS. I just tried adding a keyboard and it simply showed me a pop up saying a USB keyboard has been attached. It won’t work until I attach it to a qube.
usbguard does that without the need for Qubes.
If the computer is locked, typing commands will not do nothing. If computer is unlocked a person could do it manually without USB by just sending them over internet or storage device of choice, no fancy keyboard+mass storage device required.
An OS doesn't even need to implement USB support. Of course it can offer access controls to enable the USB devices.
Of course not, but then you're saying USB is a security flaw.

My point is that given how universal USB as long as a device can do both input and output it's going to be very hard to stop some exfiltration from being possible.

Do you really think a bug report should be filed on all OS's for allowing USB drives and keyboards to be plugged on a running system?

> you're saying USB is a security flaw

It is.

> Do you really think a bug report should be filed on all OS's for allowing USB drives and keyboards to be plugged on a running system?

Automatically trusting input devices is as bad as trusting user input. It's trivial to pass off a programmable USB keyboard as a mass storage device.

I was saying that the existence of the non-implementation of USB proves the possibility of access controls on USB.

Convoluted way to put it I guess. For some reason was intuitive to me (proof of existence by example, more trivial example better).

Having access controls on USB-HID is just a local policy choice where most people would choose convenience over security.

I agree, and it makes sense for some security oriented OS.

But the comment I replied to seemed to suggest that the possibility of data exfiltration via USB is a bug in any OS.

Instead of a personal key combo, a dongle with an OTP code.

Both the dongle and the computer have accelerometer-bump-tilt-oh-fuck-support.

A OTP has to be entered every 5 minutes, or a secure screen/dead sequence starts.

Sudden accelerated movements or a lack of presence-detection would also start the sequence.

I once wrote a script to automatically lock my computer if I got too far away from it, back when I was wearing a bluetooth wristband.

I guess you could do the same, but shut down the computer instead.

Unfortunately, iOS-provided location resolution for use in shortcuts makes it worthless for in-home use. Unless you live in a mansion though I guess.
You are assuming the signal is strong enough to be read at a distance. I just used the RSSI, and going away a few meters was enough. Moreover, since that was just a nicety in case I forgot to lock my computer during a corridor conversation, I could get away with a longer timeout.

A more sophisticated implementation could be done if you can write software on the device. A PineTime would be perfect for this.

I am not sure why mention iOS specifically, a phone is easily forgettable. Moreover, you don't really need to rely on any location API provided by the system, even if UWB or Bluetooth Location Services would do wonders for this, a simple RTT latency measurement or RSSI value should be enough.

I always carry my phone, even if moving to another room. I assumed that a similar behavior is why you got rid of your wristband.
No, I got rid of it for multiple other reasons: started using a mechanical watch again, got rid of all proprietary software on my phone (though I used gadgetbridge for a while), realized anybody could just track me as the band was broadcasting the same MAC address everywhere.

I also got multiple LG watch R, I'm probably going to fiddle a bit with them when I have time, hopefully mainlining them and porting postmarketos over. I'm open to trying again with those. In the end, I don't really have sensitive documents on a laptop (besides work-related confidential stuff), so I'm not sure I'd crank paranoia to 11.

As for my phone, I often pull it out of my pocket and leave it on my desk, or abandon it somewhere, charging or powered off -- I should probably be more careful with that, but people know to expect some latency when contacting me.

I once wrote a script to automatically lock my computer if I got too far away from it, back when I was wearing a bluetooth wristband.

I had a program like this back in PowerBook days. It automatically unlocked the computer if a specified Bluetooth signal reached a particular strength, and locked the computer again if the signal strength fell below another threshold.

It worked great, when it worked. It had maybe a 70% success rate, but that was good enough.

Windows 10 does this automatically if you pair your phone to your Windows 10 PC via bluetooth. When you walk away, it locks the screen.
If the feds are pinching you for computer crime in a public space, this is exactly why they'd handcuff you, but keep you within ~10 feet of your laptop.
heartbeat monitor.

unless they hit you with the cryo, too.

Brilliant! Going to go work on this now...
Wouldn't it make sense to remove the battery on your laptop entirely? With a modified magsafe-like power cord any attempt to grab the machine hard-kills the system and RAM begins degrading immediately. Epoxy over the screw terminals would also delay an attacker long enough to prevent freezing the RAM with compressed air to try and dump RAM via an exploit kit.
>Epoxy over the screw terminals would also delay an attacker...

Might as well go all in and epoxy the ram sticks/dimm slot assembly.

Would it cause overheating?
You don't have to douse the whole thing with expoxy. The dimm assembly looks like this: https://guide-images.cdn.ifixit.com/igi/dpYyM4oeOLPPTdpF.hug...

Putting epoxy around the top and bottom edges (where the retention clips are) and the right edge (where the contacts are) should make it extremely difficult to dislodge, but not impact the thermal performance of the chips (the black rectangles).

Aren't they already soldered in place in modern laptops?
Many laptops but not all laptops.

I've noticed many lower end have one soldered and one removable. Drives me crazy because then you end up with more RAM but less performance, so have to choose which hit is worse.

>I've noticed many lower end have one soldered and one removable

nah, that applies to many mid to high range laptops as well, eg. 14" thinkpads has had 1 soldered 1 removable dimm for years now.

Devices to transfer from wall power to battery backup for transport have existed for a long time.

https://wiebetech.com/products/hotplug-field-kit/

Seinfeld had a "rogue electrician" named Slippery Pete who could do this.
I always wonder if you could make a similar device work for EU plugs. You can't wiggle a EU plug out an 8th of an inch and have exposed line voltage, so I imagine you'd need some sort of trick to make it work.
It's easier then you think.

For anything with more than one socket, you just plug in a second cable into a free socket, once the phases are synced up unplug the extension cord or cut the socket free.

For singular sockets straight into the wall, unscrew, clip on connectors with a V shaped knife and same as above.

Although when I was working we usually would take images onsite before even considering moving the devices.

It's definitely not bullet proof but I've set up my laptop to lock when Ethernet or the monitor is unplugged or any new USB device is plugged in. This stops most but not all live imaging.

I think the idea is that you might only have about a second to kill the device. Yes, you can throw your computer in a bathtub of saltwater or whatever but that's not really the point.
You better make sure that 'tampering with evidence' carries a lower penalty than the thing that you're trying to hide.
How can you be charged with tampering with evidence by epoxying your ram dimms?

It's not as though you tampered with the device after the confiscation. Intent is also hard to prove on such a thing. I didn't want my dimms to fall out at any time if the machine was dropped is pretty good plausible deniability.

Thinking that you are smarter than the judge you will appear before is not a strategy I would recommend.
You freeze the whole laptop.
A lot of laptops either refuse to run or heavily throttle while running without internal battery. I know pretty much all Mac portables do it.

Basically the internal battery is used as a buffer for power peaks. So the laptop can use more than the adaptor can provide for a short time. If it didn't throttle it would become unstable.

Tried to find "Shit" key on my keyboard as it would save me a lot of time. No luck.
You have to admit, that's a shift joke.
Exactly. You need something not for when your laptop is removed from you, but when you are removed from your laptop.

Also, if you are being targeted this hard you need to have something for when you are left in front of your laptop and a gun is put to your head. Or the attackers threaten the welfare of your family.

> You need something not for when your laptop is removed from you, but when you are removed from your laptop.

Yeah, this wouldn't have saved the admin of Alphabay, a now defunct darknet market. The FBI staged a car crash outside his house so when he'd come out to see what was going on they could arrest him and likely get to his laptop while it was unlocked. Then again, he really shouldn't have left his computer unlocked.

That seems like a great expense to go to for the sake of a possibility the guy might do more than peek out of the window and then go back to what they were doing.

Surely there were a bunch of other options to consider before "let's stage a car crash"?

I heard the story on the Darknet Diaries podcast.

This article on Vice[0] seems to confirm it:

> Phirippidis told the audience that the bureau managed to corner Cazes and arrest him while he was still logged in as the admin of AlphaBay by ramming a car through the front gate of his home in Thailand.

[0] https://www.vice.com/en/article/59wwxx/fbi-airs-alexandre-ca...

Thanks for the link, that was an interesting read.

The part abour crashing it through his front gate makes it more likely he'll respond which makes more sense.

If someome is pointing a gun at you, it's probably too late to do anything. There should probably be cameras and motion detectors monitoring the perimeter in order to provide early warning.
The second part is harder to defend against. I didn't flinch when LEO pointed a loaded gun at me and threatened to shoot me, but as soon as they threatened my wife I told them I would sign whatever fiction they wanted to write, which I did. It just took me close to 8 years of being in jail to get a judge to look at it and tell them off and throw out the document.
... Police threatened your wife in order to make you sign a confession? That's extremely fucked up.
Yes. Stupid retards did it on video though, otherwise it wouldn't have been seen at all. This was after over an hour of threatening me and refusing my right to silence, not letting me speak to my lawyer, etc.
I would like to know more, if you're able.

Eight years of false imprisonment sounds like lawsuit city, to me.

It is. I filed suit for a lot of different claims related to this, the only one that stuck was the coerced statements. I filed in 2015 but it is still working through the federal court.
> Good to have if you run a dark net marketplace or a political disident ring from public libraries.

...and expose the contents of the screen to any camera with a good zoom? And the passwords you type? Not good.

It's just an very overpriced thing that can protect you from a thief and not the FBI.

He's making a reference to dread pirate Roberts. This was the threat model.
Windows: Sorry, Dave, we can't shut your system down right now, you have 3 apps keeping it from shutting down and we have 37 updates to Edge Browser to install... Have a nice day.
https://docs.microsoft.com/en-us/windows/win32/api/winuser/n...

EWX_FORCEIFHUNG 0x00000010

Forces processes to terminate if they do not respond to the WM_QUERYENDSESSION or WM_ENDSESSION message within the timeout interval. For more information, see the Remarks.

If the EWX_FORCEIFHUNG value is specified, the system forces hung applications to close and does not display the dialog box.

If forced shutdown is a priority, causing a bugcheck would probably be your best bet. This could be part of the USB driver for the device, or you could write a piece of software running as admin to trigger a fail state (like killing wininit or any other critical part of Windows).

You'd have to watch out that you don't let the system store a memory dump, of course, that'd be the exact opposite of what you want.

Send a signal to a driver to bluescreen the box?
Currently the BusKill app just locks the screen when the cable disconnects. I've never had Windows block the screen lock with such an error.

The way we implemented the self-destruct (currently only available in Linux), it locks the screen before attempting to wipe the LUKS Header. I imagine we'll do something similar in Windows, so the worst-case would be the soft shutdown hangs but at-least the screen is locked immediately.

Hopefully we can force an immediate, uninterruptible, hard-shutdown in Windows, too.

bluescreen is a good method, but produces a memory dump.

shutdown -s -t 0 -f will force the shutdown, but user has to be admin even if they could otherwise shutdown the computer.

Why would anyone serious about this be running Windows in the first place? A live Linux operating system is so much better. Tails is designed for this.
Alternatively you can remove the laptop battery and use it with just the charging cable attached to power the device. The laptop will automatically shut off when the power cable is disconnected. Then PAM Duress [0] can be used for the xkcd538 [1] situation.

[0] https://news.ycombinator.com/item?id=28267975

[1] https://xkcd.com/538

I guess it depends on the threat model, but if the primary concern is theft couldn't AC adapter disconnect be used for this?
This could have saved the creator of silk route. Not that I sympathize with crime, but he was unfairly accused of crimes he didn't committed like paying hitmen to kill enemies. Also, the way to operation was setup to get his laptop forcefully from him was, at the least, disrespectful. If FBI was so sure he committed any crime, they could have legally got a search warrant.
Why not have a bluetooth/wifi/customised proximity device constantly connected to your laptop (and resides in your wallet/shoes/private parts) and if you suddenly are too far away from your laptop while it's unlocked it gets purged?
If all you want is a bluetooth/wifi solution, then there's tons of "solutions" on the market for this. See our "comparison" table on CrowdSupply for some options:

* https://www.crowdsupply.com/alt-shift/buskill

When I designed BusKill, I intentionally avoided wireless solutions.

BusKill is designed for situations where the risk is extremely high, and you'll find that the radio-based solutions aren't very secure. They're faulty and have huge surface areas of attack.