How to create a panic user
A panic user is a special user that you can log in as, in order to destroy sensitive data if you were ever forced to log into your own system for the purpose of revealing the sensitive data to an untrusted organization, such as the U.S. government. This page describes a rudimentary method to create such a user.
Some words of caution
A panic user is not a substitute for steganographic encryption. If your captor believes you may retain memories of the destroyed data, rubber hose attack can still be used against you. Or he may simply decide to punish you for the destruction of data.
Basic idea
A UNIX system allows multiple users to be created with the same user ID. For example, you can create alternate superusers by inserting an entry like this in your /etc/passwd,
superman:x:0:0::/home/superman:/bin/sh
or, for a Debian-based sytem, or if your system has a “useradd” command (not “adduser”) that is like Debian GNU/Linux’s, running a command like this:
sudo useradd -o -u 0 -d /home/superman superman
The superman user can do anything, since this is a superuser (in fact, it is identical to root in every way, with the exception of the login and the home directory), and, for example, you can insert something along the line of rm -rf / in the /home/superuser/.login. When you log in as root, the home directory for that login is /root, so this command will not be run. However, when you log in as superman, because the home directory is now /home/superman, this data retention command will be run, hopefully deleting every single file in the system.
Of course, that takes time (for a filesystem with a lot of directories and files, it could take more than several minutes), so you need to prioritize.
First refinement: deletion priorities
Following is the deletion priority I would establish
- /tmp: If you just booted your system, there should be nothing there (so it wouldn’t take any time to delete /tmp). If you have been using the system for a while without a clean reboot (hibernations and sleep doesn’t count), sensitive temporary files could have accumulated for as long as a week to 30 days (depending on how your system is setup to delete stale temporary files).
- designated directory for sensitive data: If you keep a directory specifically for sensitive records, you should delete that first before anything else—you don’t want to waste time deleting your music collection so that your captors have the time to stop the script before it gets to sensitive documents.
- /home: A good, broad target is /home, since that’s where all your documents are.
- /var: Some programs (especially if it’s run as a system service, not specific to a user) store data here. This is a natural target for deletion after /home.
- /etc: This is where system configuration files are stored. Configuration files should have no sensitive information (with exception of things like MySQL where the configuration file may store database passwords), but as long as we are deleting everything, this comes before programs which contain nothing confidential
- /opt, /usr/local, and other directories that might contain local programs
- Everything else excluding /bin and /dev: You will need the tools in /bin and the device nodes in /dev for further data retention activities. These directories contain nothing confidential.
Second refinement: scrambling data
With simple rm’d files, it is possible for a data recovery professional to recover much of the deleted data—after all, when you rm a file, the content is not actually erased, only the data leading to the content. So, you should scramble the hard drive so that this type of recovery is more difficult.
Remember that you need to have left some utilities in the previous round of deletion for this to work. The main tool you need is dd, short for “disk dump”. Following are the steps:
… More to follow later