This week I read a post about the death of the Boeing whistleblower, and how Boeing might have suicided him.

I don’t care about if the rumors are true or not, however someone mentioned in the comments that in such situations one should always have a Dead Man Switch.

For those who don’t know a Dead Man Switch is basically an action TBD in case you die, like leaking documents, send messages/emails, kill a server etc . . .

The concept tickled me a bit, and I decided I want to build a similar system for myself. No, I am not in danger but I would like to send last goodbyes to friends and family. I think it would be cool concept.

How would you go and build such service?

I thinking of using a VPS to do the actions because it would be running for a while before my debit card gets cancelled.

The thing that is bugging me out is the trigger, I will not put that responsibility onto someone that’s cheating, so it would have to be something which can reliably tell I am dead and has to run regularly.

Where is what I come up with :

  • Ask a country association through email if am I am dead.

  • Check if I haven’t logged out on my password manager in a week. If it’s even possible.

TLDR; Give me ideas on how to build a DEAD MAN SWITCH and what triggers should I use.

  • xmunk@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    8 months ago

    I think the classic choice is a ping with a wide enough margin of error to allow for temporary incapacitation. There are a plethora of ways to do this and the main concern would probably be obfuscation of the trigger and a proof of identity. In the modern world the cheap solution I’d suggest is connecting a server with a 2FA app on your phone and having a request string/web page where you can input a token. If the server goes a few days without a correct token it triggers the death script.

    I’d avoid anything that actively pings you since that traffic would be predictable and easier to snoop - potentially alerting a bad actor to the fact you have such a system setup… you also, obviously, don’t want to tell anyone you have such a system. And you definitely want some kind of rotating identity proof so that replay attacks can’t indefinitely delay the script trigger - random ass 2FA apps might be too easy to identify in this regard but it’s so trivial and accessible to implement that I think it’s a reasonable choice.