[guardian-dev] What is "Panic" discussion

Tue Mar 5 09:21:39 EST 2013

Nathan of Guardian:
> (moving this discussion to guardian-dev)
> 
> On 03/01/2013 03:18 AM, David Oliver wrote:
>>
>> Nate - is your experience radically different? That is, is "panic"
>> indeed defined as a timeframe which can be handled by the current
>> software - which appears to me to be roughly 2-30 MINUTES?
> I replied to this in the other thread message, but it is important to
> consider how these things usually play out, and by these things, I mean
> the imminent detention of someone carrying a smartphone full of
> sensitive data. In general, even if they only have a few moments to
> realize something is going to happen, there is still quite a while
> between that happening, and their smartphone being accessed or
> inspected. In some cases, even in some of the worst places you can
> imagine, I have first hand knowledge that people were allowed to keep
> their phones for quite a while before they were taken and inspected. I
> am talking *hours* hours before these devices were removed from their
> pockets and inspected. OTOH, in more local cases with NYPD arrests,
> phones are immediately taken, but unlikely to be
> clone/processed/extracted for a few hours.
> 
> 2nd, I also want to make the point that if our target audience is using
> full-disk encryption of some sort (such as is built into Android 4.x),
> then the wipe process for this is quite fast technically, though the
> actual mechanism for doing this on an Android phone takes too many
> steps, and can often fail mid-process. For apps with SQLCipher or
> IOCipher in them, our hope is to optimize this process, and so the
> "insta-nuke" feature we have been designing into our new apps matter
> greatly here.
> 
> 3rd, in our work on panic apps, with InTheClear, the feature of wipe was
> paired with the "emergency distress beacon" feature that uses ongoing
> background SMS alerts containing GPS and cellular tower location to
> notify your friends, family, support network that something has happened
> to you. This is a whole nother side of panic functionality, that doesn't
> really involve anything about forensically sound data-wiping.
> 

+1 to all this. "Panic button" is a term being thrown around that means
different things to different groups. For some it is forensically wiped
flash memory, for others it is a distress beacon, for yet others it is a
deadmans switch that deletes/locks their online presence (twitter,
facebook accounts etc).

Some of these features are mutually exclusive.

Example:

On a FDEd phone, the fastest and most secure way to do a wipe, is to
overwrite the portion of disk where the LUKS key is stored [1] and do an
emergency poweroff. This takes seconds. But, once initiated, the phone
can no longer be a distress beacon.

This is something I've stressed in my talks with others about a "Panic
Button". Different groups have different needs due to their different
threat models. I oppose the idea that you can create a Panic Button app
that will be generally useful for everyone.

~abel

[1]: quick FDE intro: your FDE password unlocks a key on disk which is
in turn used to decrypt your disk