📆 | ⏱️ | 🏷️ computing

Dead Man's Switch

Definition

There are many kinds of dead man’s switches (abbreviated here as DMS). The DMS’s this post is concerned with are software-based. More specifically this post is concerned with what I will call Wikileaks/Mr. Robot style DMS’s.

Wikileaks is a non-profit that has a history of publishing highly classified news leaks obtained through anonymous sources. In order to protect the leaks, some are prereleased in encrypted form with the decryption key rigged to self-publish in case the operations of Wikileaks are obstructed in the meantime.

DMS’s are also used 3 times in the TV series Mr. Robot. One is first used by Elliot Alderson threatening to leak Fernando Vera’s drug supplying operation to protect his dealer sweetheart Shayla (S1E6). The second is in the form of an email from Trenton to Elliot hinting how to undo the 5/9 hack (S3E8). The last comes again from Elliot threatening to leak information to hurt the antagonist White Rose (S3E10).

There are 2 key elements common to the DMS’s I’ve referenced so far:

  1. A person or group that stands to lose something if private information is published.
  2. An adversary that rigs private information to self-publish unless deactivated.

Now I’ll consider the potential uses for such a device.

Use Cases

Self-Defense

The first use case that comes to mind for a Wikileaks/Mr. Robot style DMS is self-defense. If you learn something others want to keep private, you could be in danger. You “know too much”. From organized crime to classified government documents the most obvious way to deal with someone who knows too much is to have them killed, assuming you have let’s say a highly questionable moral compass. Dead men tell no tales.

A DMS is a way of turning the “knowing too much” problem on its head. It’s especially useful for dissidents and independent journalists that regularly find themselves pitted against powerful multinational corporations, the state and large criminal enterprises. It can be used as a bargaining chip to protect yourself and those you care about. If anyone you care about is harmed the private information is assured to leak, so instead of “dead men tell no tales” it becomes “living men tell no tales”.

You should carefully consider before using one. They have the potential to be effective only if used correctly. You might ask what is the value of the leak? The final time Elliot used one in Mr. Robot the threat of the leak wasn’t devastating enough to protect him from White Rose. Elliot was only able to save himself by proving he had worth. It’s also important to consider how long will the leak hold value? After Vera’s operation was over he stood to lose nothing from Elliot’s leak. Elliot was again saved only because of his value, not his DMS. The lesson there is to be thoughtful before using one.

Leak Defense

The next use case is to protect the leak itself. When the leak is obtained from an anonymous source it’s disorganized and hard to read. So before Wikileaks publishes a leak they have to curate the content. But there’s a danger that while they’re doing that the leak could be seized or destroyed by an adversary. To mitigate that they can set up a DMS so the data will get published either way. Then the adversary no longer has any incentive to interfere with the data curation process.

Offense

As for offense, it doesn’t make as much sense to use a DMS. Even though it could be used illegally for blackmail or extortion it would only be necessary if the offender was concerned about ending up in a situation where they can’t leak the information. At that point they’d probably be more interested in self-defense than offense anyway. Unless there are circumstances I’m overlooking then Wikileaks/Mr. Robot style DMS’s aren’t very useful for offense.

For the rest of this post I’m going to focus only on the self-defense use case.

Theory and Practice

In Theory

In theory the DMS represents a sequential, noncooperative game between 2 players. Player 1 (the defender) chooses between leaking Player 2’s secrets and doing nothing. Player 2 (the attacker) chooses between violence against Player 1 and doing nothing. Both players are assumed to be rational. Here are the payoffs for each strategy:

  1. If Player 2 commits violence then 1. Player 1 loses 2 points (harm) 2. Player 2 gains 1 point (retribution)
  2. If Player 1 leaks data then 1. Player 2 loses 2 points (harm) 2. Player 1 gains 1 point (retribution)

This point structure assumes both Players value retribution but not as much as avoiding harm. Both Players assume the other will adopt the strategy of maximizing their own points. Using the Minimax algorithm it can be determined that both Players will do nothing. Any other action would result in both players having less points. Points are represented for each Player in the format (P1,P2) in the decision tree below:

decision-tree [IMG]

In Practice

In practice there are a number of complicating factors. Player 2 may not know exactly what the leaks contain making it impossible to value the cost of violence. Player 1 can create the perception of cost but in reality not even set up the switch or set one up incorrectly so it doesn’t work or simply forget to deactivate it thus triggering it. Player 2 may find a way to disarm it. To account for the real-world outcomes you would need a much larger decision tree. And even then what are the chances that both players act rationally? So don’t think that a DMS is guaranteed to be effective.

Setup

If you still want to configure a DMS the first thing to consider is how to format the data you wish to include.

Luks2

If you’re gathering data to be included in the leak on an ongoing basis then you should probably use an encrypted disk image file. I recommend using LUKS2 for the encrypted disk image. There are plenty of tutorials out there on how to use it so I won’t be going over that in this post. To leak the data is easy. Just publish the encryption slot passphrase.

GnuPG2

If instead you already have all the data you’re ever going to leak then you can just create a Tar archive encrypted with GnuPG. GnuPG is awful so you might consider other file encryption methods as well. It doesn’t matter that much so long as you use free software.

Content Distribution

Once your encrypted archive is prepared you’ll need to distribute it to others. Wikileaks “insurance” files were distributed through torrents. In Mr. Robot email was used. There’s no standard for this. It’s completely up to you how you do this part. The important part is anyone that would want a copy knows about the leak and can get a copy.

VPS Setup

Now comes the part of the setup where you need a server machine to actually trigger the DMS. If you’re using a DMS there’s no reason not to make it as secure as possible because securing it from a state-level adversary is only a few steps extra versus securing it from a mobster. I won’t cover how to secure your personal computer but if you’re using a DMS you should at a minimum have full-disk encryption enabled with a strong password.

To get started use an anonymous VPS since you shouldn’t have physical access to the server. If you have physical access an adversary could also gain physical access and permanently disarm the switch. So the first thing you need to do is acquire Monero. Then use Tor Browser to purchase a foreign VPS with the Monero, but don’t give the VPS provider your true credentials. You can ssh into your VPS with the command torify ssh @. Then you should harden your ssh configuration and put sshd behind a Tor v3 Hidden Service so a MITM can’t locate it. Once all that’s done you’re finally ready to set up the actual DMS.

Cron

There is free software that automatically configures a DMS, but it’s equally as easy to set one up yourself. Simply write a script that checks for the existence of a file and schedule it to run at regular intervals using Cron. If the file exists, delete it. If the file does not exist, your script should execute a separate script that publishes the passphrase or private key needed to decrypt the data. It’s up to you where you publish the decryption key. Just be sure to test it first with a fake key.

Here’s what such a script might look like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# File: /home/<user>/trigger.sh

FILE_DISARMED=/home/<user>/disarmed
LEAK_SCRIPT=/home/<user>/leak.sh

if test -f "$FILE_DISARMED"; then
    rm "$FILE_DISARMED"
else
    ./LEAK_SCRIPT  # publishes private key etc.
fi

The script for disarming the switch might look like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# File: /usr/local/bin/disarm.sh

FILE_DISARMED=/home/<user>/disarmed
GREEN='\033[0;32m'
CYAN='\033[0;36m'
NC='\033[0m'

if test  -f $FILE_DISARMED; then
    printf "${CYAN}ALREADY DISARMED.${NC}\n"
else
    touch $FILE_DISARMED
    printf "${GREEN}SUCCESSFULLY DISARMED.${NC}\n"
fi

Those two scripts are the most important. Don’t forget to set their permissions as executable. Next you need to decide how often you want the switch to be triggered. You can set it to be as frequent as you wish but remember if the switch isn’t deactivated each time before trigger.sh runs it will publish the private key. The last thing you want is to accidentally trigger the switch. Phoenixnap.com has a great knowledge base article on using Cron. Here’s an example that triggers the switch monthly at 00:00 hrs:

@monthly /home/<user>/trigger.sh

And finally the client command to disarm the switch is:

torify ssh <user>@<address.onion> disarm.sh

Reminder

As an added bonus you could use Cron to schedule a script notifying you before the DMS is triggered. For instance if the DMS needs disarmed on a monthly basis you could write a script that emails you a week in advance a reminder to deactivate it. Again a DMS is only effective if you don’t forget to disarm it, so I wouldn’t create a DMS without a notification script.

That’s it. That’s all you need to set up your own DMS.

Popularity

You don’t hear about Wikileaks/Mr. Robot style DMS’s being used very often. I assume that’s because of 3 reasons:

  1. They require knowledge of GNU/Linux, encryption tools and scripting
  2. They require continuous maintenance
  3. They don’t occur to most people to use

In my view DMS’s are woefully underused and they should be more common especially with dissidents, protest organizers and investigative journalism organizations. The fact that Jeffrey Epstein didn’t have a DMS before he “killed himself” is almost beyond belief. A man with his wealth and criminal connections should’ve had one. He could’ve privately paid someone to set it up for him.

I think about how his situation might have turned out differently if he would’ve set up one. Assuming he didn’t commit suicide it could have protected him long enough to call out other rich and powerful people involved in sex trafficking. But it goes farther than Epstein. There are lots of situations where wealthy individuals and those with computer skills could have set up a DMS to protect themselves but apparently didn’t think to do so.

As I said before one should be careful before using a DMS. Using one is tricky in practice but it still seems like they could get far more use than they tend to. I’m generally in favor of them since they seem to be primarily used for preventing violence and protecting socially important leaks. Like any tool they can be misused for nefarious purposes. Based on present usage though, if they were used more often in the future, I estimate that, on balance, they would be ethically and socially beneficial.