by xanthine on 8/22/21, 6:15 PM with 343 comments
by nuvious on 8/24/21, 3:52 AM
It started as a simple weekend project based on an off-hand comment someone made in a security professional chat I'm in. I had used duress words in military and translating the concept to a PAM seemed like a fun exercise. Also supports my current shift towards swapping careers from pure software engineering to cyber-research or cybersecurity generally. So in the end, it was a weekend project that served a dual purpose as a resume stamp.
The design use case I had in mind was more benign; such as corporate espionage or journalists getting their devices confiscated (maybe keep a sticky note on the laptop that has a duress password on it as a red-herring). Comments to the effect that law enforcement would image a device are very relevant as any competent law enforcement agency should have their staff trained to get the device fully powered off and hand it to someone that can maintain a chain of custody and get a golden image for use in potential criminal charges.
One thought I had was to apply this to SSH auth for honeypots and if a rockyou.txt password is attempted it runs some routines that aid in crafting the honeypot before the intruder drops to a shell prompt. Another even more light-hearted implementation could be you have password X is the one you login to normally and your "duress" password Y just clears your browser history and is the one you give your spouse for when they log into your computer :). I'm sure there's use cases in the full spectrum and with it being a relatively simple implementation with user generated scripts, it'd be easy to extend to any potential use case.
In any case I'm glad it prompted such a good discussion. Feel free to submit issues if there are particular feature requests or bugs that one might run across. Additionally if there's a PR up, I'm currently the only dedicated dev on the project and welcome anyone that wants to review my PRs; always prefer a 3rd person review even on my own projects. I created a demo video using Pushover and in the process of doing the demo uncovered some bugs that I patched as well as some fixes to the documentation. Again, glad you all found this interesting and humbled it fostered such a good discussion.
by oasisbob on 8/22/21, 7:51 PM
I once worked in a place with a keypad duress code on the security system. If you prefixed your security PIN with NN-, it was the duress version of the code and would trigger a silent alarm.
This was setup long-ago, and not communicated. One night, the keypad was acting glitchy. Partially out of frustration (countdown is running), and partially to test, I ended up accidentally engaging the duress code by tapping a convenient corner number, which resulted in NNNNNNNNN-PIN.
After law enforcement had surrounded the building, a quick chat and search alongside a few officers got it all sorted.
by necovek on 8/22/21, 8:53 PM
I.e. when you are being selected for random questioning entering US as a non-US citizen, you'd benefit from steganography-like approach: you give a password, and relatively bland, non-personal stuff shows up, giving appearance of full access to a system.
If you only care about your privacy, the next one is to have a destroy-everything script (and it's not that hard: usually, passphrases are only used to decrypt the actual encryption keys, so overwriting those keys should be super fast). This would also work against unsophisticated attacks which are not going to really cost you your life.
If there is a potential for you to be a target of a sophisticated attack and the attacker does not care about taking your life, the biggest benefit is to have a way to inform someone of your whereabouts while you are actually giving access, ideally in a way that buys you time (eg. "webcam has detected stress on your face, please wait another 6 hours before trying to log in again" — sorry, company mandated software, when it happens usually, we call support).
by yosito on 8/22/21, 9:14 PM
by mgerdts on 8/22/21, 7:31 PM
by gnicholas on 8/23/21, 5:48 AM
One thing I have thought about doing is providing mistaken information to the caller and see if they go along with it. I came up with this idea when one bank said they could send me a text message and I could read back the number to them (huge red flag).
Does anyone else have any ideas for how to authenticate a BigCorp caller whose corporate policies do not allow them to provide any account information to the people they are calling?
by ChrisMarshallNY on 8/22/21, 7:07 PM
by f1refly on 8/22/21, 7:16 PM
All this would do is make you appear in a worse light to the deciding judge when it comes to trial or get your other kneecap shattered in a not so civil situation.
by rafael859 on 8/22/21, 7:24 PM
by aymendjellal on 8/22/21, 7:18 PM
https://www.kali.org/blog/emergency-self-destruction-luks-ka...
by als0 on 8/22/21, 7:45 PM
by withinboredom on 8/22/21, 10:54 PM
I was flying into Atlanta (Intl) with “radioactive” rocks (not on purpose, just picked some up near a volcano, they looked cool) and they flipped their collective shit. I was taken to a separate area where they dumped my stuff next to another guy who got pulled into “routine” inspection. This other guy “forgot” his phone pin earlier that day… he was still there four hours later, after my four hours of reasonably straight forward BS.
by sleavey on 8/22/21, 8:45 PM
by awinter-py on 8/22/21, 7:34 PM
https://www.huffingtonpost.ca/2017/02/22/canadian-man-custom...
5 years on we're somehow all managing our own crypto keys, the phone is the key to unlock our digital lives, so we're all in the counterintelligence game. more tools like this.
by xaduha on 8/22/21, 7:23 PM
by yawaworht1978 on 8/23/21, 9:07 AM
Anything else is simply not safe at all or might cost you prison time, check the UK laws on this.
by solatic on 8/22/21, 6:53 PM
Maybe a more modern concept would be to both a) have a duress private key, that triggers duress scripts in the same way, b) an implementation of ssh-agent that adds the duress private key when a duress password is entered?
by nullc on 8/24/21, 6:09 PM
And http://dmsteg.sourceforge.net/
Alas, work in this space appears to be abandoned, too bad too because much could be done to improve robustness when writing with umounted aspects, or preserving security against attackers that can take images of the disk at different times.
Not to mention: integrating the results in standard software so the mere presence of the software on your host doesn't harm the deniability.
by cortesoft on 8/23/21, 1:15 AM
by t0mas88 on 8/22/21, 7:18 PM
by bredren on 8/22/21, 7:53 PM
by new_guy on 8/23/21, 11:46 AM
I always wondered why more services don't offer it.
The reason we have it is it's a fairly political place (not by design, but when you offer 'free speech' you get everyone booted from every other place) and we've had a fair few members arrested, and I'd hate to think my site contributes to that so easy wipe.
by Razengan on 8/23/21, 7:28 AM
Call it Duress/Panic/Boss/Jealous Boy//Girlfriend/Puritan Family Mode or whatever.
iOS has something called Guided Access which sorta helps a little bit but is very obvious to the other party.
by ascar on 8/22/21, 7:49 PM
I would assume the user shouldn't understand that he was given a duress password, so is transparent the right term here?
by flenserboy on 8/22/21, 8:41 PM
by pessimizer on 8/23/21, 2:07 AM
by ttul on 8/22/21, 11:17 PM
by delgaudm on 8/22/21, 6:20 PM
by dclowd9901 on 8/23/21, 7:28 AM
by idlewords on 8/22/21, 7:19 PM
woD3PRBgELFHH9nuABH]ksD
Duress password:
duress123
by thrwyoilarticle on 8/23/21, 9:08 AM
A project that's 2 days old should be using $XDG_CONFIG_HOME. My home directory is where I need a clean slate, not your clutter.
by unixhero on 8/23/21, 11:31 AM
by michael-ax on 8/22/21, 9:36 PM
by nubela on 8/23/21, 9:19 AM
by ape4 on 8/22/21, 9:43 PM
by hannofcart on 8/23/21, 10:13 AM
by Shmebulock on 8/23/21, 7:25 AM
by nickdothutton on 8/22/21, 9:33 PM
by DangitBobby on 8/22/21, 7:46 PM