I think I first encountered the idea of essentially using passwords as commands for a variety of custom actions in a Larry Niven book from the 60s? Earlier?
It must be as old as passwords, meaning as old as language, relatively straightforward to implement in any kind of software, yet I've never seen it actually implemented in all this time. Closest has been the single triggered action to wipe everything after n failures.
It's been implemented in video games, at least! The "NARPAS SWORD" password in Metroid comes to mind.
The practical issue here is that a secret password to release the hounds or whatever is only useful if someone is able to use it at the appropriate time. It's hard to memorize a password you don't use. The number of cases where a "release the hounds" password is going to be usable and useful where a "log into admin account which has a 'release the hounds' button" wouldn't be is going to be very low.
The fact that you remember the one from a videogame, makes it seem like that would be a good candidate password for this purpose. If it's used to wipe the data (which is backed up), then it shouldn't need to be as secure as a regular password. In fact, it might be preferable to be less secure so that someone trying to brute force would hit the duress password first.
If we're talking about the specific case of duress passwords, sure. Although in that case the better defense against brute forcing is to wipe the data after too many failures. And at some point you might as well just put a "self destruct" button on there and skip the need for a password.
"the better defense against brute forcing is to wipe the data after too many failures."
Is it though? I thought some intelligence agencies have the ability to bypass the tries counter. In that case, the password would still trigger the wipe. That's not as easy to defeat because they don't know what password to avoid during the attempt, as opposed to knowing that after 10 tries it will wipe.
How can you go to prison for obstruction of justice when files are encrypted with passwords you dont know?
In the 90's I had a Visual Basic addon which was an AI that monitored the keyboard typing pattern. It could identify who was typing at the keyboard, so you could use it as a backup to lock the system if someone had discovered the password. That app could also be used to encrypt files independently, and only decrypt files when the typing pattern matched the username and password.
Not the only thing which could be used to decide if someone is the genuine user, some users might have tic's like tourettes, but involve unusual mouse movements or clicks. Or they could be things like having to switch on the NumLock on a keyboard in order to type in a numerical password. These are all very subtle behaviours which might not be spotted by someone after the password to get into a system.
Edit
So windows has had AI built into its gui since at least Windows 200, really noticeable in XP, its the benign sounding Mouse Properties "Enhance pointer precision", but this can also be used to work out who is using the windows GUI by comparing the operation of the GUI, things like do windows get resized or maximmised, do some programs tend to be use on a particular monitor (if a multimonitor setup), and how on target is the user when closing a window, ie where do they consistently hit the big red X close button in the top right of a window and how quickly do they do this. All this is meta data to further workout who is actually using the computer or not. Linux AFAIK doesnt have this so you have more privacy with Linux in some respects.
Most countries have key disclosure laws[1] which require you to provide keys or passwords to law enforcement. Not being able to remember the password is not a defense unless you can somehow prove it (which is impossible), and people can and have gone to prison for this[2].
Its not a case of not being able to remember the passwords if an AI is the only entity that knows them's. Technicality of law.
As for people going to prison I know how fascist the UK state can be, I've had it all my life since primary school and they go on about the Uighurs in China! LOL. Reminds me of the IRA petrol bombs and the Ukrainian Petrol bombs going on today.
I've had court request letters telling me to go to the wrong courts in the hope they can convict me of speeding in my absence, if I wasnt aware of court procedures which isnt my day job.
I'm well aware you dont run a country by being nice.
In XP, when doing some repetitive stuff which meant moving in and out of a number of windows, I noticed (saw with my own eyes) there were times I hadnt actually clicked on the window close button in the top right of the window but the mouse pointer just fell short of the close button and yet it still closed the windows.
If you use Linux, you'll see how twitchy the mouse pointer is compared to windows.
Russian government is stopping people on the street, demanding to see their phone contents. If you can show a fake profile, you are safe. If you wipe data, you might be beaten, tased and jailed.
I was responding to a comment that said "[i]f it's used to wipe the data...". If you read my original comment, I was specifically avoiding that particular topic because I knew it wasn't what you were discussing. It's pretty frustrating how all of these replies are acting like I introduced duress passwords to the conversation.
To be clear, I'm not really endorsing that approach, just saying that it's probably more effective than making "sexgod123" a secret land mine password.
Had a work phone where that wasn't an option, when my kids were little they'd grab the phone and blackmail me with a wipe. Kind of funny but also a pain in the ass.
Doesn't it take hours of wrong password entries before a wipe? The delay between attempts gets longer and longer (at least on ios), you can't just quickly tap in loads of wrong passwords and wipe an iphone in a minute.
In my situation the company requires wipe after 5 or 10. I don't remember how long the timeout was but being blocked out of your work phone while you're oncall is also a massive pain in the ass.
Duress passwords aren't there to stop brute-forcing, they're there to save your life in the event of wrench-based cryptoanalysis [0]. Think "log into this system or I shoot you". Using a duress vs regular password should look identical and give away as much information/access as you can afford so your odds of being found out (and subsequent shot) are as low as possible.
Even if configured as sef-destruct (in cases where you value system security more than your life), it's still better than a basic panic button (ideally you want both). You can point a gun at someone and tell them to keep their hands away from a button, but eventually you'll need to have them open a locked door for you and in that moment they are free to type anything on the keypad, be it "open door and call the cops" or "blow up the whole building" and you won't know what they typed until it's too late to stop them.
Huh, my phone used to have miui, an andrdoid skin by xiaomi, installed from the factory. It featured the ability for a second user profile that could be either entered through the settings or by setting up a custom unlock pattern for entering it when unlocking the phone.
I tought this was quite a clever feature for e.g. giving your phone to your children with an isolated profile.
Because people struggle to remember even one PIN, especially if it's needed infrequently or in a stressful situation. I'm not being snarky here, it's happened to me. Could not remember my one, main PIN on one particularly stressful day. Went home, slept, and no problem the next day.
So remembering a PIN that most people will never need to use in a stressful situation? Unlikely to be useful for the majority of people.
Way easier, just have a set of 9 icons (flower, sun, etc) shown after every pin entry. Your "true" icon will proceed, all other icons will trigger duress and proceed.
Way easier, just have a set of 9 icons (flower, sun, etc) shown after every pin entry. Your "true" icon will proceed, all other icons will trigger duress and proceed.
This is familiar.
I had a bank that, when you set up your PIN, required you to also pick an icon. There was a flower, and a cat, and a dog, and some other generic pictures.
When you put your card in the ATM and entered your PIN, you also had to pick the right icon.
I wonder if this was the start of a duress system the bank was setting up. The bank ended up getting eaten by another bank and then another bank, and the icon selection system went away.
For some reason I don't associate it with a bank (they have a personal phrase they include in official messages), but do with one of the SSO accounts I had, and feel pretty confident it wasn't Google.
No, it is an obvious solution to anyone who wants to solve the problem, and have never seen this in the wild (probably because I live in a relatively safe country where you don't have to fear to get mugged at an ATM).
EDIT: This should be coupled with a "secret" icon that is shown (or a specific order of the 9 icons you have to chose from) to prevent MITM/Phishing attacks. If you realize the icon/order is not the one you are used to, you are being phished.
Alternatively: same PIN/password as normal, but alter the last character. Better if it’s any incorrect last character. That allows you to stick close to your normal routine while in a stressful situation.
At 4 digits, with a 10 character alphabet, you are looking at a 1% reduction in pin space. Contrast this with the 90% reduction in pin-space you get by not using a 5th digit.
If we had duress codes for ATM, and it’s widely known, then someone with a gun will just threaten me to not use my duress code. I’m not going to bet my life in that scenario.
In the physical security example (door with a pin pad lock), entering the duress code gives no indication that you had done so. The door opens, just as it should (i.e., the guy standing behind you forcing you to open doors is unaware). But security has been (silently) alerted. ATM duress codes would work the same (I would hope).
First off, just because they have a gun doesn't mean they're going to risk a capital crime over under a grand in cash. Sure, some people will, but that number is much smaller than the number of people not even holding a real gun.
The duress code could do any number of things, too. Trigger a silent alarm, for example, at the bank branch and/or police. Show a randomized, lower available balance. Mark the dispensed bills.
Fact of the matter is that banks don't care; it's not "their" money when someone steals from you at an ATM. That's why you never see any sort of anti-robbery systems in ATM lobbies.
Cops don't care either. If you're lucky they write a report.
But...steal from the bank and every cop in town will hunt you down.
The famous socialite was found guiltu of defrauding investors and banks (whos literal job us to access risk) but not the poor woman che parted with savings.
Head of Theranos was found guilty of defrauding investors who did no real due dilligence, but not patients.
Don't change anything about the behavior of the ATM, just alert the police. If people are being robbed at gunpoint don't try and be a hero over a couple grand.
How many people chill out after an atm robbery? It seems a bit of over engineering when I would assume 99.9% of atm robbers are gone 30 seconds after an atm pin is typed.
ATMs can be configured for all kinds of amounts. It's up to the bank.
In the mid-90's, my father's bank would let him specify a withdrawal amount down to the cent. He could take out $53.17, and the machine would spit out $53 in bills, and 17 cents would roll down a chute into the coin tray.
In the late 90's, I had a bank that allowed almost any withdrawal amount. I know I took out $700 once for an emergency car repair.
I think a big reason the banks limit the amount of money you can take out is so they don't have to refill the machines as often. It's a cost-saving measure for them.
There are higher limit ATMs and accounts. Some Chase and Citibank accounts go up to $5000 iirc.
Usually there’s a “rich people” account with different limits and services. I knew somebody once who could call their guy have money delivered by courier in NYC.
It occurs to me you could do something like this by creating a dummy user and enabling a user service on login (systemd). I don't think this is the best method, because you can't predict all the ways to login without a shell. Just a neat idea for generalizing it.
I have a feeling that "Is pam_duress.so configured in any file in /etc/pam.d, and if so turn on a big red light" is a pretty trivial thing to add to those "plug the person's computer in here and have them log in to their machine to decrypt everything, otherwise they won't go through customs/leave our dingy bunker" solutions.
These duress passwords seem to be for kind of contrived scenarios, to me. Either your threat model is "someone breaks into my hotel room and steals my laptop", in which case it's useless, or "The $OpposingSideSecretService got me and hits me until I give them my password" in which case it seems to be equally useless.
Sadly (2) is a legal requirement in Australia now, too.
If asked you MUST unlock your phone and computer. So if you’re travelling here or leaving — citizen or not — you best be prepared to have your data searched for arbitrary reasons.
The best defence I have seen for this is to keep all your data on cloud storage and do a base install whenever you are crossing questionable borders. Rather than a cloud provider, host your own Nextcloud instance.
I have advised similar things. Backup, factory reset while going through the border and restore once done. The fact that they can legally seize without any justification and no transparency over what is taken is still an issue though.
Maybe this shouldn't be branded purely as a security feature. There are plenty of uses for it beyond the whole duress aspect. It could be an elegant way to toggle desktop themes when you log in. Or it could give a bit of peace of mind by killing all open browser windows as you're about to log into your laptop that's hooked up to a projector.
Lol, the ven diagram of people who can move your computer while the os is running and and people who can figure out of you also have a duress password is basically a circle.
No home theif is going to take the time to move your machine while it's running so having all the drives locked should be good.
If you're using pam, some section of the drive is unlocked.
The question is does it matter if they know you have a duress module running?
You're not really obligated to give your password in the US. (Not a lawyer but that's how I understand it)
And in situations where they know are they going to beat you after youve erased your data?
If you're worried about a machine being moved while on, you're probably best to check a canary that tells it about it's environment. ARP for a specific MAC, or DNS entry that only resolves on your LAN, SSID scan, maybe just lock all drives if the LAN interface flaps.
I suppose this would be good for airport travel and more mobile situations.
Something like this would be great for online voting. If a voter is under duress (i.e. being watched while they vote, etc), they can enter a specific ballot unique to them that discards the ballot and allows them to re-vote in a safer environment.
Or just completely get rid of anything internet connected or electronic for voting and go back to pen and paper. Any claims that online voting can be secure should be kept far away an buried as though they were radioactive waste.
I find it hilarious that people think pen and paper voting is more secure. The introduction of electronic voting (plus security through out of state paramilitary forces) was a major factor in reducing electoral fraud in India, the world's largest democracy.
Pen and paper isn't "more secure." As a voting system it's "significantly harder to commit voter fraud against at scale" and "significantly harder to commit fraud against from halfway around the world" and "significantly harder to commit fraud against without one of your conspirators ratting you out." With electronic voting, changing one vote is as easy as changing a million.
Your link doesn't suggest that paper voting doesn't work, it suggests that india is a corrupt nation that couldn't manage to enforce its monopoly on violence during that time. You could in principle also just beat up everyone in the vicinity of the booth, steal their digital voting access and vote for them.
You can't hack a container filled with pieces of paper.
Obviously the usefulness of measures like this is likely pretty low if your dealing with tech-savvy adversaries, but if some random border guard or police officer forces you to log into your computer and — I don't know, I'm not very well-versed in these scenarios — show your Facebook messages or your password vault, you could use your duress password to clear cookies and other stuff to show that you don't have a Facebook account or a password manager ... or whatever, you get the general idea.
Or you could use it to not change anything but simply log in and additionally alert your work place that you're under duress and they can cut off your access to critical systems. Provided that you have some sort of internet access of course...
I married into an American family recently. We plan on doing a road trip through America to visit said family. I will not be taking my phone or my laptop. I will just buy something cheap over there and then donate it to charity before I leave.
Before and now after reading the article, I was immediately struck by the title that it’s astonishing this isn’t a more widely used concept. An “I’m complying” Dead Man’s Switch is a generally good idea for a lot of people for a lot of reasons. Maybe not just at a point of authentication but that’s a reasonably good place to start.
There is a legal concept called adverse inference. It is based on the premise that you wouldn't destroy evidence that would be beneficial to you. In addition to any punishment the court may decide, they introduce the spirt of the destroyed evidence and treat is as materially detrimental to your side.
There are many actors one might comply with who aren’t law enforcement and to whom you may prefer granting access to garbage rather than the thing they’re seeking. I think the vast majority of people with debit cards would be comforted with the idea of being able to give a thief a PIN which doesn’t empty their bank account… even if they never get around to setting one up. No one would think people who do are up to something nefarious. The same goes for protecting oneself from abusers in one’s home. The set of reasons one might want this are so commonplace that the most widely used devices are set up to lock or wipe on failed login attempts either by default or by easy configuration.
I've always been on the fence with technical solutions to the 'Pipe wrench' problem but one thing that I don't see mentioned that often is that there are usually many secondary keyrings unlocked by the login password (ssh auth, saved passwords, session cookies maybe, etc);
I could see a solid usecase for a duress script that clears all these and requires 'standard' reauth, so that at least you're back to a 'defence in depth' style.
Also, in the 'Pushover' example, I can't imagine many attackers waiting to plug the thing in before starting the ~pipe wrench~ credentials discussion.
The fundamental problem is that often the people who are trying to get your data are legally entitled to it, and to use physical force against you to get it. And god help you if there is any appearance that you might have deleted the data they want.
Plausible deniability may help, but only if you really can convince them that you do not have and cannot somehow access the data they want.
> but in the background runs scripts to clean up sensitive data, close connections to other networks to limit lateral movement
Oh boy. Don't do this. No matter how much trouble you're in, erasing the proof will make it worse. If you're innocent too, then you're really in a bad situation.
Even blowing away relevant data like file structures, cookies that would prove your innocence would typically be considered spoliation or destruction of evidence. Even if the evidence is "Joe is innocent". So you could end up creating a felony out of a situation where you would have ended with nothing. If you did nothing, don't touch anything.
If you wipe your already clean device, you've now engaged in real criminality, and will end up creating charged out of thin air for yourself.
Gotcha, so nothing to do with the actual data (you didn't specify which kind just "data") but the mere act. So it's a problem with the legislation as we already knew.
What? No; if you delete data, there’s no way to know what was on it, so if you’re reasonably suspected of committing a crime, there’s no way to know if you also hid the evidence of that crime.
This just reminds me of all the very cool and clever things we could be doing, but arent. I imagine a world in which your phone is actually a general purpose computer, that can be meaningfully backed up by you, solely under your control.
So when you're travelling somewhere heavy, you backup your whole phone to a trusted server (I hate even saying 'cloud' here) and wipe it (or better yet, "duressify" it, e.g. you put in grandma's number and a little porn and thats it) and be on your merry way. Restore your backup at your destination.
A while back a woman in Boston was abducted at random, forced at knifepoint to withdraw money at an ATM, and then brutally murdered before anyone even knew she was missing. In response the state proposed requiring ATM security features like a panic button, active monitoring of the surveillance cameras, or some sort of alarm system. Of course the banks pushed back because of the long-term implementation costs and also because of the supposedly risk false alarms.
But one of the ideas that I thought sounded like a good compromise was a duress PIN. The idea being that a customer could opt to set a PIN that would work exactly like their normal/“real“ PIN (dispense funds, etc.) except it would silently alert police. It didn’t happen, in the end. Partially because the banks were strongly opposed to the “overreach” and partially because the public outrage about the abduction died down before anything meaningful could happen in response.
In Copenhagen the ATMs used to have "anti gas attack" stickers on them. No idea what they did, or protected against.
A friend of a friend got roofied at bar. In the morning, she found she'd withdrawn a large amount of cash from an ATM. (Could have been much, much worse.)
To add insult to injury, the bank produced a video of her drugged out and "voluntarily" entering her pin with a shadowy figure in a black hoodie behind her. The bank claimed this was proof the transaction was voluntary and non-fraudulent, and refused to cover the withdraw.
This was somewhere in Europe. I'm 99% sure the transaction would be refunded in the US, though I've never heard of such muggings here.
A security company I contracted for has a policy when people are traveling to certain countries that they can't bring a company laptop or phone with them. They have to purchase a laptop while in the country to use and log onto the systems from there.
I’m curious because this seems worse in many ways than purchasing in your home country and carrying across. I understand you go through the airport with a fresh laptop and that gives the opportunity for the airport security agents to mess with it, but in all recent travels when I’ve done this the only time I haven’t seen the laptop directly is when it’s in the X-ray machine for 30 secs. Seems like purchasing in visiting country would be less secure. Can you elaborate?
Carrying devices across a border gives the Nation State Actors both physical access to your machine and a legal basis to mess with it - either by searching the device for secrets or by installing malware onto it. Some countries are better at this than others. I wouldn't bother doing this if I was just going from, say, the US to Canada[0]. However, China is notorious for messing with any Android[1] phones that cross their borders. Depending on what countries your company trades with, this policy might make sense.
In contrast, bulk shipments of imported devices are not usually tampered with in the same way[2]. Some countries do have similar restrictions on data import, but they can't mess with or spy on that data because you actually have end-to-end encryption in that case.
[0] I have heard reports of immigration officers demanding device passwords in such a case, but it's rare. If you're really paranoid, enough to want to do this when crossing US borders, I should point out that you should never live within 100 miles of them. Anything 100 miles or closer to a US border gives the US government power to demand your papers; furthermore, the people in border control treat this as a blank check to search for anything they want.
If CBP gets suspicious, they will ask for the device password to gather evidence from one's phone to deport back. This happened to a couple of people I know of.
I haven’t travelled to China since before Covid was a thing, but when I went previously border control weren’t at all interested in our phones, and more or less waved us into the country once they’d checked our visas. To say they mess with any Android phone crossing the border is either massive hyperbole, or they’re doing it remotely as you run them through X-ray scanners.
If they can mess with them remotely, then it's game over for any sort of security property you think the phone has; there's no reason to think they have more capabilities than other governments or some of the larger organized crime syndicates.
Purchasing within the country is more secure unless you assume all devices sold within the country are compromised and monitored in real-time which seems unfeasible.
Of course for this to be effective you should just purchase it in-person in a mall or something, and ideally don't provide any identifying information so they can't "customize" the device just for you, otherwise all bets are off and at that point it indeed becomes more secure to just bring your own and not let it out of your sight.
> Purchasing within the country is more secure unless you assume all devices sold within the country are compromised and monitored in real-time which seems unfeasible.
One preinstalled mitm cert, or sketch CA, is within the realm of feasibility.
An MITM cert or compromised CA used to spy on the entire country would require the adversary to be able to capture, store, process and search through all that traffic in near-real-time. Sounds pretty much impossible both from a infrastructure as well as manpower point of view.
I assume the "and log in from there" consists of a very limited login that only allows access to videocalls and a few other basics to allow work to get done... Not the whole document repository of the whole company.
If you presume encryption (SSL et al) in its present state generally works, this strikes me as obviously superior? I genuinely don't understand the argument? You carry your password in your head, buy the new machine, phone home, and you're good? Ditch the machine on the way home if it's that serious.
If you're an espionage target they'll arrange more than 30 seconds of alone time for your laptop. Either overtly at customs/security or discretely when you're away from the machine.
There's plenty that's crazy about the current system. But I'd assume in your example state actors would be tracking and possibly copying your server accesses. And perhaps your server. (Cross border? Blocked. VPN? Blocked. On-prem? Easy to raid. "Don't keep logs"? Actually we do. Open source encryption? One contributor just happens to be from an intelligence agency and added some weaknesses. And so on...)
Security is really hard. For every "obvious" solution there's always going to be a back door. For every known backdoor there's going to be a covert back door which you're not going to be aware of, or a honey trap which looks like a trusted independent solution but is really state owned.
If you want a truly secure solution you're probably going to have to wait for some kind of bio-linked technology where your personal data is embedded in your physical body, and forced access either wipes it, or kills you, or perhaps both, depending on the settings.
> There's plenty that's crazy about the current system. But I'd assume in your example state actors would be tracking and possibly copying your server accesses. And perhaps your server.
Some of us have only passing interaction with state actors, e.g. when visiting a foreign country for a short term, or when crossing the border into a nominally free society with legal privacy rights (cough TSA / ICE cough). There is thus in practice ample need for solutions not secure against an all-seeing surveillance state.
The phone is a general purpose computer, and you can run LineageOS on it, with a custom bootloader.
Then you basically have 3 partitions boot, system, data. encrypting and uploading "data" can be done. It still requires little manual work, i.e. i don't know if an app can do it.
As mentioned in the article itself these cutesy things are inadequate for their intended use case.
Could still be made useful in some cases perhaps as part of a larger “defense in depth” scenario, but if you’re actually afraid of rubber hose cryptography you should utilize methods that directly work against that (which may result in your death).
"Could still be made useful in some cases perhaps as part of a larger “defense in depth” scenario"
Completely spitballing here just exploring the thought:
Like using duress pam to _only_ allow logins if a duress pw or authorized_key is used? Port knocking (https://en.wikipedia.org/wiki/Port_knocking) comes to mind as a simile. Could that even be done?
Determined attacker will have your disk physically copied before attempting anything, so "delete all my files" won't work.
For such scenarios plausible deniability is what you want. Ideally, you need a whole parallel system which plausibly appears to attackers as if it is legitimately authorized/decrypted. StegFS is an example building block for such systems.
If they know you work on breeding war rabbits, you better have some fake files with records of failed attempts to breed war rabbits and your real files hidden in deeper layers.
Right, but that’s sort of the reason some OSes like MacOS use a hardware security module to store the key used for encrypting the disk contents. Your adversary can make as many copies of the disk as they want, but they need the HSM (which is, by design, hard to clone) to read the plaintext.
An HSM can even enforce policies like rate limiting brute force attempts and/or erasing itself after too many attempts. It could even support a duress password which immediately erases the keys.
Without the ability to clone the HSM, the attacker doesn’t get a “second chance” if they attempt to use the duress password.
I feel a whole parallel system is very risky due to the large service area you have to emulate; screwing something up like Last Modified dates or system updates may reveal you never used that system since 2012. I would rather hide anything risky in an area where high-entropy binary blobs wouldn't appear unusual; the output folder of a hobby data compresser project wouldn't be a bad choice.
They aren't murdering everyone whos phone / laptop they check at a border. It would be perfectly fine to have an encrypted disk drive that presented different contents based on what password was used to unlock for instance.
And with something fully arbitrarily scriptable like this, it doesn't have to simply wipe stuff, it can do practically anything. It could fake having a dead battery, or suffering some kind of crash or other normal annoying service interruption. It could fake a Microsoft account login problem due to some problem with the wifi or borked corporate account control etc. You could increase the believability by pretending to have very common bad security habits like having the duress password written down somewhere on your person or with the machine.
If you are a spy and they have you in a hole, then your cover is already blown. They will remove and dissect the storage without even trying to boot it. But things like this could keep you from being noticed in the first place, and could sufficiently handle the vast majority of situations.
In Russia right now, they are stopping random people on the street to look for certain telegram groups on people's phones. The randos aren't spies and aren't specifically targeted. The police are really only doing it to scare everyone else away from accepting any communication about Ukraine from outsiders.
It would be exactly perfectly good enough if they simply didn't see what they were looking for.
How practical is this against an adversary with hardware access? If they can put a vampire tap on the motherboard or CPU pins, won't the alternate code paths pursued by the CPU alert them? Most computers have standardized bootloaders. This would only work if the decryption key selection computation is encrypted and homomorphic.
Probably possible. You're not going to connect up like 32 eBay oscilloscope probes to someone's computer and get their data, but you could build a custom RAM module that saves interesting data. Obviously there are computing devices that operate at the speed of modern day CPUs and memory -- modern day CPUs and memory!
I think that these aren't widely available because if you want someone's data you can email them and say "hey I'm the CEO and I need your password right now, I'm locked out of my account!" Much easier than engineering a 4GHz logic analyzer into a DDR4 form factor.
In my case, after putting a loaded gun to my head I still wouldn't give the police my access codes, but after they changed strategy and threatened my wife I broke immediately. The interrogator told the judge that if he suppressed the codes they would simply move to desoldering the chips off the board and move them to another device. The judge accepted that, despite objections. (and the fact that only works if the data is not encrypted on the chips you are transplanting)
What could be more "Hacker News" than a bunch of people thinking they need a secret password in case they are held "under duress"? Because obviously you are James Bond and to avoid being sawed in half by the villian's laser beam you will give away this secret password at the last moment. Nothing could be worse than if Dr. Evil steals your hard drive, oh god, not that!
After reading this I'll never travel with out a pre trip factory wipe and throw away accounts for the trip.
To be clear, there isn't anything to hide but I don't trust this government one bit and the cost of them scanning my password vault is way too high - it would take weeks to reset and clear old passwords.
Well pretty much everyone who works for a corporation has a responsibility to protect confidential information. However it's not really all that James Bond because the problem of international travel is normally solved by having code among other things not stored on laptops.
The responsibility to protect corporate information does not generally include any resistance to duress, almost every company has to simply accept that the health or life or imprisonment of the responsible employee is more valuable (really, on a whole different scale) than the protection of that information, and they have to instruct their employees to comply with any duress - just as bank tellers are instructed to just hand over cash when threatened, or as happened when duress was applied to employee family members in the https://en.wikipedia.org/wiki/2009_Bank_of_Ireland_robbery - if you're not working in the military or intelligence services where literally lives are at stake, it's exceedingly likely that your threat model should simply not include trying to resist duress, and if you do, you're immorally putting your employees at risk to protect something that's relatively not that important like corporate profits.
Yes but there's nothing to protect if there's nothing there. I don't think Apple expects its employees to fall on a sword to prevent customs officers from reading its plans for iPad 11.0. But they certainly expect them not to download such docs to their desktop right before hopping on an international flight.
It must be as old as passwords, meaning as old as language, relatively straightforward to implement in any kind of software, yet I've never seen it actually implemented in all this time. Closest has been the single triggered action to wipe everything after n failures.