New USB Cable Kills Your Linux Laptop if Stolen in a Public Place (zdnet.com) 151
A software engineer has designed a so-called USB "kill cable" that works as a dead man's switch to shut down or wipe a Linux laptop when the device is stolen off your table or from your lap in public spaces like parks, malls, and internet cafes. From a report: The cable, named BusKill, was designed by Michael Altfield, a software engineer and Linux sysadmin from Orlando, Florida. The idea is to connect the BusKill cable to your Linux laptop on one end, and to your belt, on the other end. When someone yanks your laptop from your lap or table, the USB cable disconnects from the laptop and triggers a udev script that executes a series of preset operations.
Edge case... (Score:5, Interesting)
I fail to see the point given most laptops are stolen when they're left unattended anyway. A better idea would be a boot script that looks for a nearby RFID or NFC tag and executes a wipe if it's not present. Or simply fails to decrypt a volume.
Re: (Score:2)
You could just use BlueProximity for that. However i guess you would have very high accident rate.
I fail to see how cable can be accident-proof. Even remote wipe would be safer. Perhaps very niche top-secret data could use this, but then you need very good backups
Re:Edge case... (Score:5, Interesting)
My work is already backed up by source control, local scheduled backups, remote backups, and, at least among engineers, this seems the norm.
The potential loss to my employer for losing a work device would be much greater than any downtime. So we make sure devices fail locked or destroyed.
I've always used full disk encryption when available, and it's much cheaper for me to lose a little time than to suffer a break-in. I would much rather that instance of the data be wiped on any separation from my person.
Re:Edge case... (Score:5, Insightful)
If you have any top secret data on a powered-up laptop in a location where thieves have access, you've already broken about a dozen rules of classified data handling.
My first response to the article was, "how could this possibly go wrong?" That's my first response to any idea but it's usually not meant so sarcastically.
Re: (Score:3)
A former customers' employees had to use their access control key cards to unlock their laptops, and removing the card locked it. Since if they walked out of their office to go anywhere else in the office they need the card to open the door it was a good way to make sure that the laptop was locked while unattended.
Re:Edge case... (Score:4, Interesting)
I assume the point they are targeting is if your laptop is already unlocked when stolen. I fit was unattended, it should be off or locked already and existing security measures in place can handle that scenario.
Re: (Score:3, Insightful)
I can see this being a good theft deterrent for things like tablets and smart phones too. You could have a belt clip mounted extended batter to keep the device charged too. Make the cable bright orange etc so would be "purse snatchers" can see you are using it. Like "The Club" used to be for cars.
These days a locked smart phone might as well be brick where petty criminals are concerned. All removing the cable would need to do is lock the device. That way they'd know their simple snatch and run won't net th
Re: (Score:3)
Phone have a remote delete option on them. Which is one reason why stealing phones isn't as common as it use to be. Also the phone has the ability to be tracked. So the thief will need to attend to a pissed off victim.
Re: Edge case... (Score:3)
So the thief will need to attend to a pissed off victim.
An angry smartphone user; how threatening... what are they going to do, 'record you to death?' They haven't got their phone. ;)
Re: (Score:3)
Cops don't care, and won't accompany them, for the same reason that they won't investigate any other fraud or theft under $1000. If it's not a felony it's not worth their time.
After all, those donuts aren't going to eat themselves . . .
Re: (Score:2, Interesting)
Stealing phones has morphed -- the bad guys now wave a gun/knife in your face and ask for your PIN, then put the phone into airplane mode. Or, they just grab the phone, put it into a foil lined bag, let it sit for a week or two, then disassemble it.
Plus, phones are still a hot item. A new iPhone 11, even if it will never can activate again, can sell for hundreds of bucks, just for parts. Lots of people want Apple screens, because third parties bring issues.
Re: (Score:3)
"Make the cable bright orange etc so would be "purse snatchers" can see you are using it"
Why? Just use a cable attached to a grenade in your purse.
Much more fun.
Re: (Score:2)
Just electrify the cable with Taser-level voltage and wait for the fun to begin.
Re:Edge case... (Score:5, Interesting)
See also USBKill [wikipedia.org], which was specifically created in response to the above arrest.
Re: Edge case... (Score:2)
Ross Ulbricht (of Silk Road fame) was busted in a library while his laptop was unlocked, thus enabling the Feds to easily gain access to the contents
...easieraccess; FTFY.
Re:Edge case... (Score:4, Insightful)
Consider that these wireless things are not always readable. Someone is operating a microwave near by... or sunspot activity is high... I have numerous wireless peripherals that occasionally have issues... whatever operation is performed automatically when these arent seen would need to be pretty lenient to a failure to communicate.
USB Dongle tied to belt:
Tied to your belt, one wrong move by you or others and the system kicks in. Again it needs to be pretty lenient.
Re: (Score:3)
Re:Edge case... (Score:5, Interesting)
RFID sounds much better... I believe this is a solution in search of a problem.
The recent guy who got his laptop stolen at starbucks and died while in pursuit seems like an isolated incident. Who the hell has the balls to take something out of someone's hand, in a starbucks??
Me personally, if I'm going to be traveling, I bring my 'throw away' laptop. It's a dell i5 refurb with decent specs that I got for like $300 on [you know what store]. It took a few attempts actually to get this little guy. The first one I ordered was a DOA and they took it back no questions asked and send a replacement that actually worked.
This travel laptop is truecrypt'd and mostly used as a thin client anyway. If i was forced to divulge my password, all they would get is my vpn certificates which would be revoked anyway if after connecting they don't also log into the auth server within 15 minutes.
My $300 laptop is not worth dieing over.
Re:Edge case... (Score:5, Interesting)
Who the hell has the balls to take something out of someone's hand, in a starbucks??
People who haven't yet learned that actions have consequences. I was literally right next do a dude that had his phone stolen on a light-rail. Now that I know what was about to happen, it was a very well orchestrated maneuver, one that appears to have been practiced before. They found a guy that was in the seat right next to the door that had is phone in his hand. Just as the door was about to close they snatched it out of his hand and were out the door before anyone within 10 feet knew what was happening.
Re: (Score:3)
Re: (Score:3)
Re: Edge case... (Score:2, Insightful)
Who the hell has the balls to take something out of someone's hand, in a starbucks??
Rest assured the victim is akways sized-up except by the most deranged individuals... "Bernie Getz Syndrome," if you will. This lies at the heart of why the [wimpiest looking] of you fuckers need to be packing heat - not so you can blow some sorry fucked-up soul away - and live with potential guilt and regret for the rest of your life, unlike that psychopathic SEAL - but rather so that all but the most addled potential muggers have no fucking clue who is and isn't armed.
Re: Edge case... (Score:5, Insightful)
So let's examine the possible outcomes here:
1. Guns are carried, but no one is actually willing to use them. Thieves learn this and are not deterred.
2. Guns are carried and people are willing to use them. Thieves see more risk to themselves, but some are still willing to try for the ol' snatch-and-run betting that they can get away before guns are drawn. Good guys with guns open fire in a crowded Starbucks or on the subway. Property is damaged in excess of the value of the stolen item. Innocent bystanders are wounded or killed.
2a. As I understand it, even when states have "stand your ground" laws they only apply when you believe your own life is in danger. A purse snatcher running away is not a danger to your life, meaning people would be less likely to open fire in the first place. See scenario 1.
Frankly, I can't see how either situation is an improvement. Guns simply aren't a deterrent when the thieves' entire MO is that they can grab something and get away before anyone has time to react.
Re: (Score:2)
not so you can blow some sorry fucked-up soul away - and live with potential guilt and regret for the rest of your life
Oh noes, I've got guilt and regret and angst for the rest of my life .... but only if I missed.
Really, no. You don't kill someone over a phone. You only shoot to wound. You aim to KILL because they'll sue you over pain and suffering and who-knows-what-all if you don't. (You can thank overreaching lawyers for that. "My client is now crippled for life." "...while he was robbing a store at gunpoint. Now he won't sway while he's aiming. You're welcome.") Having a gun is ONLY a deterrent if all / most /
Re: (Score:2)
It's a very sad country that you live in, I pity you.
Re: (Score:2)
.. and live with potential guilt and regret for the rest of your life
I'm okay with that. Yeah, I'll take that "rest of my life" thing over being dead or maimed.
If it's true, at least I'd be alive to feel guilty and I'm more than willing to put up with some guilt as long as it means I'm still alive.
And yes, I carry daily, and I have for ~30 years. I'm not the guy you have to worry about.
Re: (Score:2)
I support 2A and CC. Please do not suggest that people use firearms for petty theft. That is illegal in most areas as is shooting someone who is running away. Most areas that allow self-defense with firearms only allow it when defending life and death situations. Stealing a phone or laptop is very unlikely to meet that requirement.
Re: (Score:2)
Re: (Score:2)
Depending on the nation you're visiting, failure to decrypt or provide login credentials could get your ass into serious trouble. Don't like the rules, don't visit that nation. Technology has nothing to do with it when you're told by the authorities that YOU, personally, fucked up abiding by the law.
What I'm saying is. yes, if *forced* to give a password to decrypt it, it's not actually a big deal. There's no customer data on there, there's nothing much of value other than bookmarks to some good xkcds and a vpn certificate tucked away in /etc/openvpn
But if someone WAS competent enough to log into it, the connection would fire up I'm sure, they'll be able to ping and traceroute things, and eventually the connection is just shut off. It's not like walking into a hotel where you need to 'accept the po
Re: Edge case... (Score:2)
I believe there is more to this story.
Three people were involved in this theft. The thief, the person who held the door open and the driver. I think either the victim was deep into crypto currency, high finance or legal fields , or was a Govt contractor with some top secret info.
The extent he took to do a flying leap into an SUV window is rather telling about the value of the laptop /data to him.
Or he was just reacting stupidly to a common theft.
Re: (Score:2)
Other then deleting data... Which would take a long time if done in a non-recoverable action. I would just say send a power off function.
And let a strong encrypted volume protect yourself, as long as you give your laptop a strong encryption password. For cases in which you feel your data is more valuable then the laptop hardware, I would expect you should be following best practices, vs an auto destruct switch.
If I wanted a laptops data. I would power off the laptop, extract the drive make a copy of the da
Re: (Score:2)
Re: (Score:2)
Why not a Bluetooth device? Works over large distances and even through walls. So you could go to the bathroom and leave your laptop on the table. The device could communicate that it lost connection, so you know if you walked past a particularly solid wall, or someone turned on a microwave and you need to go turn off the countdown.
You could even incorporate buttons that control the settings, like turning off or delaying the wipe when you are leaving the laptop.
Re: (Score:2)
Given the consequences of a far more likely false positive, neither option seems like a great idea. I put this up there with Bike Mine.
OPAL (Score:4, Informative)
Isn't this the idea behind self-encrypting drives? You put the decryption key (or part of one) on a thumb drive, and the laptop won't boot unless it's inserted. Combine this with an administrator password on UEFI, and the laptop is just about useless to the average thief.
Re: (Score:2)
The founder of the silk road could have used something like this.
Two life sentences...
Re: (Score:3)
I've nuked my own computer more times than I can count, but I've never (yet) had someone manage to get into one I'd personally set up.
Yes, that's an open invite, I'm aware. But hasn't it always been that way? Got my almost 30-year streak going.
(I actually had someone recently ask me, "but haven't you ever been hacked?". Well...no, actually, I haven't. You cut corners, you get hacked.)
Re: (Score:3)
Also, I just ask that if you deface my website, you include an explanation of where the hole(s) were.
Re: (Score:2)
"You do know that an NFC tag requires extreme proximity to work, right?"
That's precisely why I said "RFID or NFC".
I'd rather have a cable that kills... (Score:2)
Let's reverse that and make USB cables that once we synch them to our allowed devices will kill anything they get plugged into :evilemoji:
Tired of "losing" USB cables.
Disclaimer:
This post is intended as sarcasm. Any legal and technical obstacles to said post are irrelevant to the humor value and are not subject to normal rational evaluation. All rights reserved. Copyright 1/2/2019.. dammit 1/3/2020 I mean.
Better ideas (Score:5, Funny)
Have the removal of the USB trigger a script that when the laptop is opened it displays that gif of a countdown timer with Arabic writing and the speakers play a recording saying "I am a bomb!"
That, or just have the belt lanyard connected to an exploding ink pack or a glitter bomb attached to the top of the laptop.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: Better ideas (Score:5, Informative)
A countdown in Arabic is just a countdown. We all count in Arabic.
Re: Better ideas (Score:2)
Re: (Score:2)
Excel counts in base 26 and uses Latin glyphs.
Burn'em (Score:2)
Can the script send the batteries into thermal run-away?
Re: (Score:2)
Re:Burn'em (Score:4, Informative)
Can the script send the batteries into thermal run-away?
Probably not. The protection circuit for that sort of thing is usually built right into the battery (if the battery is removable) or is part of the power circuit on the laptop in the cases where the battery is integrated. I suppose you could build your own battery where the protection circuit could be selectively disabled and short the battery, but now you've got an incendiary bomb sitting on your lap, and you are way more likely to accidentally set of the circuit yourself than get your laptop stolen. Plus the risk of burning your house down while you sleep.
Re: (Score:2)
Galaxy Note 7 does that if damaged
Doesn't this help the thief? (Score:2)
Re:Doesn't this help the thief? (Score:5, Insightful)
That was one of the two thoughts I had.
The other was that it'll be fun when you forget that the cable is connected to your belt loop, and get up to throw away a cup, or get more ketchup, or what ever, and wipe your laptop.
Re: (Score:3, Interesting)
Re: (Score:2)
GP will be the arbiter of that.
Re: (Score:3)
The victims tend to be most concerned about data being taken, but most thieves don't care about the data and are only interested in the monetary value of the hardware or the parts it contains.
Laptops are easy to sell, for data it's much harder to find an interested buyer assuming you have the skills to extract and identify the data.
Re: (Score:3)
Re: (Score:2)
Back when PC Week Magazine still existed they bought a dozen used computers from Goodwill and Salvation Army, looked at the drives, and were appalled to find peoples' tax forms, personal data, saved logins from bank and financial web sites, and of course the ubiquitous "passwords.txt" file most casual users make. If people were leaving that sort of information on computers that they **knew** would be resold think about what's available from stolen ones.
Re: (Score:3)
I bet Ross Ulbricht [wikipedia.org] wishes this cable was available when he was doing his 'library work'.
Re: (Score:2)
If he were competent he could have made one oneself and it wouldn't been needed anyway.
what could possibly go wrong? (Score:5, Insightful)
imagine how many times this cable would get yanked out by mistake ~ dumb idea
Physical security (Score:3)
Kill switch may be a useful mechanism in protecting your data, but it is not effective theft deterrent.
Re:Physical security (Score:4, Interesting)
Because the laptop isn't robust enough to survive an attempted force removal either. These things aint built like they were in the days of those steel cabled locks on desktops.
Because I want to discourage people from attempting to steel my laptop not place myself at a high degree of additional injury risk in the process. Just making the
"kill cable" bright orange or something would probably be enough. Let the crooks know they are just going to get a brick for their effort.
Re: (Score:2)
For theft deterrent to be effective it has to be obvious. Your solution, a brightly colored cable attached to the laptop, could be just about anything. A potential thief, even after reading this
Re: (Score:2)
Just use one of those laptop cable locks and loop it through your belt. Problem solved.
I don't get it. (Score:5, Insightful)
First, I'm going to trigger this a dozen times just getting up to stretch my legs before anyone attempts to steal my laptop.
Second, the person stealing my laptop is after the hardware. Any kill switch to lock down or delete data is irrelevant.
Third, if my laptop does contain data that makes it a target beyond just pawning the hardware, why am I using it in public?
This is a curious proof-of-concept type toy, but I'm not seeing the real-world application.
Re: (Score:3)
Re: (Score:2)
The idea that bites back (Score:5, Interesting)
Telling the world about it would only make "pranksters" yank your USB cable when you're not looking.
I think a better solution would be to have hard encryption of your harddrive, a wireless tag (RFID, BT or whatever) that keeps you logged in if in proximity, and a login prompt that wipes the drive after n failed login attempts or after m hours of not authenticating (login, proximity to tag, or location-based).
BTW, you shouldn't have sensitive data on a laptop anyway. It should be on the network servers, always, and you only log in from the laptop.
Why not use bluetooth (Score:2)
I'd rather have a process which checks whether my phone is within Bluetooth range when the machine powers on, or the screen unlocks. If it isn't then the process just overwrites the decryption key for my data volumes with garbage and changes the screensaver to read, "Property of keithdowsett@somedomain.com Phone: 001-234-5678"
If it's a genuine error, then I have to restore the decryption key from a USB key and I can resume working. If my laptop has been stolen any confidential data is secure and there's
Re: (Score:2)
Impractical (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
They are grade-A assholes, even the drug addicts.
Those people need help. Addiction is hella shit and people hit the breaking point relatively-easily.
Re: You know what reliably stops thieves? (Score:2)
Almost all addicts choose to become addicted. No one is forcing them to scrap up some Oxys from acquaintances. No one is forcing them to lie to their doctor about drug-seeking. No one is forcing them to shoot heroin. No one is forcing them to do blow.
By and large all addicts made a choice to become addicted to something. There are exceptions, of course. Sex workers forced to get hooked, etc.
But if an addict tries to steal your shit, it's not your responsibility to combat addiction in your community, but it
Re: (Score:2)
Addicts also may make a choice to stop being addicted, yet find that they are now unable to execute on that choice because addiction sucks.
I could hold you to the same thing: you've no doubt made bad choices in your life, thus you're a worthless human being. The only difference between you and a drug addict is your stupidity didn't have severe long-term consequences--you got lucky--so you're no different than a heroin addict.
Re: (Score:2)
Re: (Score:2)
Yes, that might work. Although, you might get a problem where someone sits somewhere with a laptop, till the first person they don't like comes passed, and then "beats them into the ER" using the laptop law as the excuse they need.
Re: (Score:3)
Letting people legally tackle thieves and beat them into the ER with zero civil or criminal liability would be the decentralized, systematic disincentivizing you're looking for.
Well there was that guy earlier this week who died chasing after someone who stole his laptop from Starbucks. That's why it's not really encouraged to chase after them.
Re: (Score:2)
The Texas/Louisiana statutes that you can stand your ground in defense of your property.
Yes, there are such laws in many states within the USA. What every such law requires is some evidence of the defense of your property rising to the level of a felony. Some prankster going around in daylight stealing newspapers is not defense of property that would allow for a "stand your ground" defense. Rattling doorknobs late at night might do this, I emphasize might. I lived in Texas for a while and I recall laws like this coming up in conversation with co-workers and acquaintances. One distinction
This is an old idea (Score:2)
Insurgents and activists have been using similar scripts for a long time - yank out a USB thumb drive and it triggers a script wipes he disk.
Re: This is an old idea (Score:2)
Bad Headline (on original article) (Score:2)
a bit overkill (Score:2)
Re: a bit overkill (Score:2)
and sleep mode does? (Score:2)
and sleep mode does?
Better have good backups (Score:2)
Because this sounds very much like an accident waiting to happen. Get the cable snagged somewhere? Oops, reinstall! Something falling and hitting the cable? Reinstall.
Stupid AF (Score:2)
Number of times someone has grabbed my laptop in public: 0
Number of times I've accidentally pulled a USB device out of my laptop: 100+
Physical security locks already exist (Score:3)
Re: (Score:2)
See that rivet on the lock?
That's the weak point. Give it a good hard turn 90 degrees, and I bet the rivet pops. I'd also question how they attached the cable, because there's an awful lot of ways to apply force to something without applying force to the laptop attached to it. (I once designed a device to snap locks by using an extremely high loading on a set of dynamic lines, with a trigger to release that load onto a single static line. The idea was to separate a lock from a bike and a bike rack without d
Cheaper solution (Score:2)
Re: Cheaper solution (Score:2)
ok wait.... (Score:2)
So, the people who steal laptops -- are they largely motivated by stealing the DATA on the laptop, or are they generally just trying to grab something that can easily be fenced so they can get their next meth fix? If the latter, congratulations, you've just wiped it for them and prepared it for resale.
That's pretty stupid (Score:2)
If you're going to attach it to your body... why not use a braided steel cable so they can't steal it at all? Pretty dumb idea.
Yeah can't see any problems with that (Score:2)
If you're so fucking paranoid that someone will steal your laptop then do whole disk encryption and use a strong password.
Damn, too late. (Score:2)
I have a MUCH BETTER idea -- late for modding up (Score:2)
I have a much much much better idea. I have only recently implemented it. /etc/crypttab that looks like this:
My home directory is on an encrypted USB stick. With USB 3.0, the speeds are insane.
My computer is basically a piece of white goods -- it has the operating system, it boots up, but it doesn't actually have _anything_ that belongs to me. Everything is in the LUKS-encrypted USB.
I have an entry in
H /dev/disk/by-uuid/XXXX-XXXXX-XXXX-XXXX- none luks
Which means that Ubuntu will ask for a password to decryp
Re: (Score:2)
Exactly. Needs to have an oh-my-god-delay, and when the user has got used to that, it won't be long enough. Just like seatbelts make drivers feel less vulnerable, and habits worsen.
The only market I see is customers who cannot risk being targetted for what's on the laptop. And the backdoor for that is simply an attack that prevents the yanking out, i.e. target both 'top and user.
Close (Score:2)
Lock the system, then wipe the RAM before rebooting.
Re: (Score:2)
yea.. this is just a bad idea. Bad friends thinking it is funny as hell - just yanking out the cable. Forget it's attached - and mistakenly wipe your system... Too easy to abuse. And really, you are just helping a thief by getting rid of the crp they don't want and leaving a fresh system to play with.
To your second point, exactly. You're just preparing it for resale. Yay. What the gimmick should do is irrevocably brick the laptop. But that makes your first point even more important.