diff options
author | Nicholas Johnson <nick@nicholasjohnson.ch> | 2023-02-15 00:00:00 +0000 |
---|---|---|
committer | Nicholas Johnson <nick@nicholasjohnson.ch> | 2023-02-15 00:00:00 +0000 |
commit | 1fb8243ac32f4d4381051dd5c093303d5d68c084e8cf7b3316d414daaf1c75a9 (patch) | |
tree | ac9c9cfaf73743869707f368c61cbd595ab7aa3f0b1a254b6fb2bf770b45d8e8 | |
parent | 63e67ee620dc12980cb504bfd64e6ca9561543b977d9634dc2d3b4a3f809db3a (diff) | |
download | journal-1fb8243ac32f4d4381051dd5c093303d5d68c084e8cf7b3316d414daaf1c75a9.tar.gz journal-1fb8243ac32f4d4381051dd5c093303d5d68c084e8cf7b3316d414daaf1c75a9.zip |
Convert refs: dead-mans-switch
-rw-r--r-- | content/entry/dead-mans-switch.md | 61 |
1 files changed, 14 insertions, 47 deletions
diff --git a/content/entry/dead-mans-switch.md b/content/entry/dead-mans-switch.md index fb70caa..aca6984 100644 --- a/content/entry/dead-mans-switch.md +++ b/content/entry/dead-mans-switch.md @@ -2,14 +2,13 @@ title: "Dead Man's Switch" date: 2021-01-27T00:00:00 draft: false -makerefs: false --- # Definition -There are many kinds of dead man's switches (abbreviated here as DMS). The DMS's this post is concerned with are software-based[1]. More specifically this post is concerned with what I will call Wikileaks/Mr. Robot style DMS's. +There are many kinds of dead man's switches (abbreviated here as DMS). The DMS's this post is concerned with are [software-based](https://www.wikipedia.org/wiki/Dead_man%27s_switch#Software). More specifically this post is concerned with what I will call Wikileaks/Mr. Robot style DMS's. -Wikileaks[2] is a non-profit that has a history of publishing highly classified news leaks obtained through anonymous sources. In order to protect the leaks, some are prereleased in encrypted form with the decryption key rigged to self-publish in case the operations of Wikileaks are obstructed in the meantime. +[Wikileaks](https://wikileaks.org/) is a non-profit that has a history of publishing highly classified news leaks obtained through anonymous sources. In order to protect the leaks, some are prereleased in encrypted form with the decryption key rigged to self-publish in case the operations of Wikileaks are obstructed in the meantime. -DMS's are also used 3 times in the TV series Mr. Robot[3]. One is first used by Elliot Alderson[4] threatening to leak Fernando Vera[5]'s drug supplying operation to protect his dealer sweetheart Shayla[6] (S1E6[7]). The second is in the form of an email from Trenton[8] to Elliot hinting how to undo the 5/9 hack (S3E8[9]). The last comes again from Elliot threatening to leak information to hurt the antagonist White Rose[10] (S3E10[11]). +DMS's are also used 3 times in [the TV series Mr. Robot](https://mrrobot.fandom.com). One is first used by [Elliot Alderson](https://mrrobot.fandom.com/wiki/Elliot_Alderson) threatening to leak [Fernando Vera](https://mrrobot.fandom.com/wiki/Fernando_Vera)'s drug supplying operation to protect his dealer sweetheart [Shayla](https://mrrobot.fandom.com/wiki/Shayla_Nico) ([S1E6](https://mrrobot.fandom.com/wiki/Eps1.6_v1ew-s0urce.flv)). The second is in the form of an email from [Trenton](https://mrrobot.fandom.com/wiki/Trenton) to Elliot hinting how to undo the 5/9 hack ([S3E8](https://mrrobot.fandom.com/wiki/Eps3.8_stage3.torrent)). The last comes again from Elliot threatening to leak information to hurt the antagonist [White Rose](https://mrrobot.fandom.com/wiki/Whiterose) ([S3E10](https://mrrobot.fandom.com/wiki/Shutdown_-r)). There are 2 key elements common to the DMS's I've referenced so far: @@ -22,12 +21,12 @@ Now I'll consider the potential uses for such a device. ## Self-Defense The first use case that comes to mind for a Wikileaks/Mr. Robot style DMS is self-defense. If you learn something others want to keep private, you could be in danger. You "know too much". From organized crime to classified government documents the most obvious way to deal with someone who knows too much is to have them killed, assuming you have let's say a highly questionable moral compass. Dead men tell no tales. -A DMS is a way of turning the "knowing too much" problem on its head. It's especially useful for dissidents and independent journalists that regularly find themselves pitted against powerful multinational corporations, the state[12] and large criminal enterprises[13]. It can be used as a bargaining chip to protect yourself and those you care about. If anyone you care about is harmed the private information is assured to leak, so instead of "dead men tell no tales" it becomes "living men tell no tales". +A DMS is a way of turning the "knowing too much" problem on its head. It's especially useful for dissidents and independent journalists that regularly find themselves pitted against powerful multinational corporations, [the state](https://www.theguardian.com/us-news/2020/dec/07/florida-police-raid-data-scientist-coronavirus) and [large criminal enterprises](https://www.wikipedia.org/wiki/Jeffrey_Epstein). It can be used as a bargaining chip to protect yourself and those you care about. If anyone you care about is harmed the private information is assured to leak, so instead of "dead men tell no tales" it becomes "living men tell no tales". You should carefully consider before using one. They have the potential to be effective only if used correctly. You might ask what is the value of the leak? The final time Elliot used one in Mr. Robot the threat of the leak wasn't devastating enough to protect him from White Rose. Elliot was only able to save himself by proving he had worth. It's also important to consider how long will the leak hold value? After Vera's operation was over he stood to lose nothing from Elliot's leak. Elliot was again saved only because of his value, not his DMS. The lesson there is to be thoughtful before using one. ## Leak Defense -The next use case is to protect the leak itself. When the leak is obtained from an anonymous source it's disorganized and hard to read. So before Wikileaks publishes a leak they have to curate[14] the content. But there's a danger that while they're doing that the leak could be seized or destroyed by an adversary. To mitigate that they can set up a DMS so the data will get published either way. Then the adversary no longer has any incentive to interfere with the data curation process. +The next use case is to protect the leak itself. When the leak is obtained from an anonymous source it's disorganized and hard to read. So before Wikileaks publishes a leak they have to [curate](https://www.wikipedia.org/wiki/Data_curation) the content. But there's a danger that while they're doing that the leak could be seized or destroyed by an adversary. To mitigate that they can set up a DMS so the data will get published either way. Then the adversary no longer has any incentive to interfere with the data curation process. ## Offense As for offense, it doesn't make as much sense to use a DMS. Even though it could be used illegally for blackmail or extortion it would only be necessary if the offender was concerned about ending up in a situation where they can't leak the information. At that point they'd probably be more interested in self-defense than offense anyway. Unless there are circumstances I'm overlooking then Wikileaks/Mr. Robot style DMS's aren't very useful for offense. @@ -36,12 +35,12 @@ For the rest of this post I'm going to focus only on the self-defense use case. # Theory and Practice ## In Theory -In theory the DMS represents a sequential, noncooperative game[15] between 2 players. Player 1 (the defender) chooses between leaking Player 2's secrets and doing nothing. Player 2 (the attacker) chooses between violence against Player 1 and doing nothing. Both players are assumed to be rational. Here are the payoffs for each strategy: +In theory the DMS represents a sequential, [noncooperative game](https://www.wikipedia.org/wiki/Non-cooperative_game) between 2 players. Player 1 (the defender) chooses between leaking Player 2's secrets and doing nothing. Player 2 (the attacker) chooses between violence against Player 1 and doing nothing. Both players are assumed to be rational. Here are the payoffs for each strategy: 1. If Player 2 commits violence then 1. Player 1 loses 2 points (harm) 2. Player 2 gains 1 point (retribution) 2. If Player 1 leaks data then 1. Player 2 loses 2 points (harm) 2. Player 1 gains 1 point (retribution) -This point structure assumes both Players value retribution but not as much as avoiding harm. Both Players assume the other will adopt the strategy of maximizing their own points. Using the Minimax[16] algorithm it can be determined that both Players will do nothing. Any other action would result in both players having less points. Points are represented for each Player in the format (P1,P2) in the decision tree below: +This point structure assumes both Players value retribution but not as much as avoiding harm. Both Players assume the other will adopt the strategy of maximizing their own points. Using the [Minimax](https://www.wikipedia.org/wiki/Minimax#Example_2) algorithm it can be determined that both Players will do nothing. Any other action would result in both players having less points. Points are represented for each Player in the format (P1,P2) in the decision tree below: [decision_tree [IMG]](/resource/decision_tree.jpg) @@ -52,21 +51,21 @@ In practice there are a number of complicating factors. Player 2 may not know ex If you still want to configure a DMS the first thing to consider is how to format the data you wish to include. ## Luks2 -If you're gathering data to be included in the leak on an ongoing basis then you should probably use an encrypted disk image file. I recommend using LUKS2[17] for the encrypted disk image. There are plenty of tutorials out there on how to use it so I won't be going over that in this post. To leak the data is easy. Just publish the encryption slot passphrase. +If you're gathering data to be included in the leak on an ongoing basis then you should probably use an encrypted disk image file. I recommend using [LUKS2](https://www.wikipedia.org/wiki/Linux_Unified_Key_Setup) for the encrypted disk image. There are plenty of tutorials out there on how to use it so I won't be going over that in this post. To leak the data is easy. Just publish the encryption slot passphrase. ## GnuPG2 -If instead you already have all the data you're ever going to leak then you can just create a Tar[18] archive encrypted with GnuPG[19]. GnuPG is awful[20] so you might consider other file encryption methods as well. It doesn't matter that much so long as you use free software. +If instead you already have all the data you're ever going to leak then you can just create a [Tar](https://www.wikipedia.org/wiki/Tar_%28computing%29) archive encrypted with [GnuPG](https://www.wikipedia.org/wiki/GNU_Privacy_Guard). [GnuPG is awful](https://secushare.org/PGP) so you might consider other file encryption methods as well. It doesn't matter that much so long as you use free software. ## Content Distribution Once your encrypted archive is prepared you'll need to distribute it to others. Wikileaks "insurance" files were distributed through torrents. In Mr. Robot email was used. There's no standard for this. It's completely up to you how you do this part. The important part is anyone that would want a copy knows about the leak and can get a copy. ## VPS Setup -Now comes the part of the setup where you need a server machine to actually trigger the DMS. If you're using a DMS there's no reason not to make it as secure as possible because securing it from a state-level adversary is only a few steps extra versus securing it from a mobster. I won't cover how to secure your personal computer but if you're using a DMS you should at a minimum have full-disk encryption[21] enabled with a strong password. +Now comes the part of the setup where you need a server machine to actually trigger the DMS. If you're using a DMS there's no reason not to make it as secure as possible because securing it from a state-level adversary is only a few steps extra versus securing it from a mobster. I won't cover how to secure your personal computer but if you're using a DMS you should at a minimum have [full-disk encryption](https://www.wikipedia.org/wiki/Full_disk_encryption) enabled with a strong password. -To get started use an anonymous VPS since you shouldn't have physical access to the server. If you have physical access an adversary could also gain physical access and permanently disarm the switch. So the first thing you need to do is acquire Monero[22]. Then use Tor Browser to purchase a foreign VPS[23] with the Monero, but don't give the VPS provider your true credentials. You can ssh into your VPS with the command torify ssh <user>@<server>. Then you should harden your ssh configuration[24] and put sshd behind a Tor v3 Hidden Service[25] so a MITM[26] can't locate it. Once all that's done you're finally ready to set up the actual DMS. +To get started use an anonymous VPS since you shouldn't have physical access to the server. If you have physical access an adversary could also gain physical access and permanently disarm the switch. So the first thing you need to do is acquire [Monero](https://www.monero.how/). Then use Tor Browser to [purchase a foreign VPS with the Monero](https://www.getmonero.org/community/merchants/#hosting), but don't give the VPS provider your true credentials. You can ssh into your VPS with the command torify ssh <user>@<server>. Then you should [harden your ssh configuration](https://stribika.github.io/2015/01/04/secure-secure-shell.html) and put sshd behind a [Tor v3 Hidden Service](https://scribe.rip/@NullByteWht/how-to-set-up-an-ssh-server-with-tor-to-hide-it-from-shodan-hackers-eda93927a742) so a [MITM](https://www.wikipedia.org/wiki/Man-in-the-middle) can't locate it. Once all that's done you're finally ready to set up the actual DMS. ## Cron -There is free software that automatically configures a DMS, but it's equally as easy to set one up yourself. Simply write a script that checks for the existence of a file and schedule it to run at regular intervals using Cron[27]. If the file exists, delete it. If the file does not exist, your script should execute a separate script that publishes the passphrase or private key needed to decrypt the data. It's up to you where you publish the decryption key. Just be sure to test it first with a fake key. +There is free software that automatically configures a DMS, but it's equally as easy to set one up yourself. Simply write a script that checks for the existence of a file and schedule it to run at regular intervals using [Cron](https://www.wikipedia.org/wiki/Cron). If the file exists, delete it. If the file does not exist, your script should execute a separate script that publishes the passphrase or private key needed to decrypt the data. It's up to you where you publish the decryption key. Just be sure to test it first with a fake key. Here's what such a script might look like: @@ -101,7 +100,7 @@ else fi ``` -Those two scripts are the most important. Don't forget to set their permissions as executable. Next you need to decide how often you want the switch to be triggered. You can set it to be as frequent as you wish but remember if the switch isn't deactivated each time before trigger.sh runs it will publish the private key. The last thing you want is to accidentally trigger the switch. Phoenixnap.com has a great knowledge base article[28] on using Cron. Here's an example that triggers the switch monthly at 00:00 hrs: +Those two scripts are the most important. Don't forget to set their permissions as executable. Next you need to decide how often you want the switch to be triggered. You can set it to be as frequent as you wish but remember if the switch isn't deactivated each time before trigger.sh runs it will publish the private key. The last thing you want is to accidentally trigger the switch. Phoenixnap.com has a great [knowledge base article on using Cron](https://phoenixnap.com/kb/set-up-cron-job-linux). Here's an example that triggers the switch monthly at 00:00 hrs: ```plaintext @monthly /home/<user>/trigger.sh @@ -125,40 +124,8 @@ You don't hear about Wikileaks/Mr. Robot style DMS's being used very often. I as 2. They require continuous maintenance 3. They don't occur to most people to use -In my view DMS's are woefully underused and they should be more common especially with dissidents, protest organizers and investigative journalism organizations. The fact that Jeffrey Epstein didn't have a DMS before he "killed himself[29]" is almost beyond believe. A man with his wealth and criminal connections should've had one. He could've privately paid someone to set it up for him. +In my view DMS's are woefully underused and they should be more common especially with dissidents, protest organizers and investigative journalism organizations. The fact that Jeffrey Epstein didn't have a DMS before he "[killed himself](https://www.wikipedia.org/wiki/Epstein_didn%27t_kill_himself)" is almost beyond believe. A man with his wealth and criminal connections should've had one. He could've privately paid someone to set it up for him. I think about how his situation might have turned out differently if he would've set up one. Assuming he didn't commit suicide it could have protected him long enough to call out other rich and powerful people involved in sex trafficking. But it goes farther than Epstein. There are lots of situations where wealthy individuals and those with computer skills could have set up a DMS to protect themselves but apparently didn't think to do so. As I said before one should be careful before using a DMS. Using one is tricky in practice but it still seems like they could get far more use than they tend to. I'm generally in favor of them since they seem to be primarily used for preventing violence and protecting socially important leaks. Like any tool they can be misused for nefarious purposes. Based on present usage though, if they were used more often in the future, I estimate that, on balance, they would be ethically and socially beneficial. - - -Link(s): -[1: https://www.wikipedia.org/wiki/Dead_man%27s_switch#Software](https://www.wikipedia.org/wiki/Dead_man%27s_switch#Software) -[2: https://wikileaks.org/](https://wikileaks.org/) -[3: https://mrrobot.fandom.com](https://mrrobot.fandom.com) -[4: https://mrrobot.fandom.com/wiki/Elliot_Alderson](https://mrrobot.fandom.com/wiki/Elliot_Alderson) -[5: https://mrrobot.fandom.com/wiki/Fernando_Vera](https://mrrobot.fandom.com/wiki/Fernando_Vera) -[6: https://mrrobot.fandom.com/wiki/Shayla_Nico](https://mrrobot.fandom.com/wiki/Shayla_Nico) -[7: https://mrrobot.fandom.com/wiki/Eps1.6_v1ew-s0urce.flv](https://mrrobot.fandom.com/wiki/Eps1.6_v1ew-s0urce.flv) -[8: https://mrrobot.fandom.com/wiki/Trenton](https://mrrobot.fandom.com/wiki/Trenton) -[9: https://mrrobot.fandom.com/wiki/Eps3.8_stage3.torrent](https://mrrobot.fandom.com/wiki/Eps3.8_stage3.torrent) -[10: https://mrrobot.fandom.com/wiki/Whiterose](https://mrrobot.fandom.com/wiki/Whiterose) -[11: https://mrrobot.fandom.com/wiki/Shutdown_-r](https://mrrobot.fandom.com/wiki/Shutdown_-r) -[12: https://www.theguardian.com/us-news/2020/dec/07/florida-police-raid-data-scientist-coronavirus](https://www.theguardian.com/us-news/2020/dec/07/florida-police-raid-data-scientist-coronavirus) -[13: https://www.wikipedia.org/wiki/Jeffrey_Epstein](https://www.wikipedia.org/wiki/Jeffrey_Epstein) -[14: https://www.wikipedia.org/wiki/Data_curation](https://www.wikipedia.org/wiki/Data_curation) -[15: https://www.wikipedia.org/wiki/Non-cooperative_game](https://www.wikipedia.org/wiki/Non-cooperative_game) -[16: https://www.wikipedia.org/wiki/Minimax#Example_2](https://www.wikipedia.org/wiki/Minimax#Example_2) -[17: https://www.wikipedia.org/wiki/Linux_Unified_Key_Setup](https://www.wikipedia.org/wiki/Linux_Unified_Key_Setup) -[18: https://www.wikipedia.org/wiki/Tar_%28computing%29](https://www.wikipedia.org/wiki/Tar_%28computing%29) -[19: https://www.wikipedia.org/wiki/GNU_Privacy_Guard](https://www.wikipedia.org/wiki/GNU_Privacy_Guard) -[20: https://secushare.org/PGP](https://secushare.org/PGP) -[21: https://www.wikipedia.org/wiki/Full_disk_encryption](https://www.wikipedia.org/wiki/Full_disk_encryption) -[22: https://www.monero.how/](https://www.monero.how/) -[23: https://www.getmonero.org/community/merchants/#hosting](https://www.getmonero.org/community/merchants/#hosting) -[24: https://stribika.github.io/2015/01/04/secure-secure-shell.html](https://stribika.github.io/2015/01/04/secure-secure-shell.html) -[25: https://scribe.rip/@NullByteWht/how-to-set-up-an-ssh-server-with-tor-to-hide-it-from-shodan-hackers-eda93927a742](https://medium.com/@NullByteWht/how-to-set-up-an-ssh-server-with-tor-to-hide-it-from-shodan-hackers-eda93927a742) -[26: https://www.wikipedia.org/wiki/Man-in-the-middle](https://www.wikipedia.org/wiki/Man-in-the-middle) -[27: https://www.wikipedia.org/wiki/Cron](https://www.wikipedia.org/wiki/Cron) -[28: https://phoenixnap.com/kb/set-up-cron-job-linux](https://phoenixnap.com/kb/set-up-cron-job-linux) -[29: https://www.wikipedia.org/wiki/Epstein_didn%27t_kill_himself](https://www.wikipedia.org/wiki/Epstein_didn%27t_kill_himself) |