Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#4107 closed enhancement (fixed)

TBB Panic button

Reported by: phobos Owned by: chiiph
Priority: Medium Milestone:
Component: Archived/Vidalia Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Request from a user questioned for using Tor at an Internet cafe. They request some way to quickly shutdown tor, vidalia, aurora and wipe the whole TBB directory with one push of a button. In this case, it was on Windows 7 Ultimate in the Internet cafe.

In a perfect world, it would also remove any evidence or data leakage left behind that would defeat a decent forensic analysis of the system.

I think this is really two requests, but I promised the person I would open the ticket for them.

Child Tickets

Change History (9)

comment:1 Changed 8 years ago by mikeperry

This is not a bad idea, but where should the button be?

It seems like the most user-accessible option would be a Torbutton menu option that says "Emergency Wipe.." But we'd need to confirm in case of accidental click.

Also, this is going to run into cross-platform difficulties. Windows for example really does not like you to be able to modify executables of running processes, so we'd have to fork off a new process, and then exit, and then notify the process to start wiping after exit. Then we'd have to figure out how to teach that process to wipe itself, which will be different on each platform..

comment:2 in reply to:  1 Changed 8 years ago by rransom

Replying to mikeperry:

This is not a bad idea, but where should the button be?

It seems like the most user-accessible option would be a Torbutton menu option that says "Emergency Wipe.." But we'd need to confirm in case of accidental click.

We would need a configuration option (off by default) to control whether that menu item is displayed/available.

Also, this is going to run into cross-platform difficulties. Windows for example really does not like you to be able to modify executables of running processes, so we'd have to fork off a new process, and then exit, and then notify the process to start wiping after exit. Then we'd have to figure out how to teach that process to wipe itself, which will be different on each platform..

Does CreateProcess still allow starting a process from a PE image constructed in memory?

comment:3 Changed 8 years ago by ancientmariner

Just my 2 cents: defeating forensic recovery in such a short time span is unlikely. Encryption would be the best way to defeat any recovery, assuming the adversary has significant resources.

comment:4 Changed 8 years ago by mikeperry

Component: Tor BrowserVidalia
Owner: changed from mikeperry to chiiph

I think I am going to move this to vidalia, as I think we'll need it to be the one juggling all of our processes to accomplish this on Windows.

comment:5 Changed 8 years ago by mikeperry

#4764 is a dup of this bug.

comment:6 Changed 8 years ago by chiiph

May be we could use a batch script that does something like: "sleep 5s && rm -rf /path/to/TBB" (in batch words). I'm not sure if we can say "cmd.exe 'batch script here'"

I'll investigate a bit and comment back.

comment:7 Changed 8 years ago by chiiph

For windows it should be something like this:

cmd.exe /C ping -n 5 127.0.0.1 >NUL & rmdir /S /path/to/tbb

The ping part is a hack because there is no sleep.

comment:8 Changed 8 years ago by chiiph

Resolution: fixed
Status: newclosed

A fix for this is in my branch chiiph/bug4107_panic. It has been merged to alpha and it will be out with 0.3.2.

comment:9 Changed 8 years ago by mikeperry

See #5432 for the Wipe Button. FTR, I disagree with ancientmariner's implicit statement that we should forever ignore adversaries who only have access to Norton Utilities because some adversaries happen to have tunneling electron microscopes.

Note: See TracTickets for help on using tickets.