We have this interesting feature proposal for /e/OS: a second "panic" PIN code that can fully erase the device in case of emergency. It's been rejected by Google for Android.
Do you think we should implement it?
hello...sent you a mail some time ago to email@example.com... the mail was in german, maybe the problem... ;-)
@gael probably not the most urgent thing to do, but indeed a nice feature to differentiate /e/OS from its competitors
The Kodachi Linux live operating system also got that feature, called a "nuke" password. It does that at the decryption partition prompt, I suppose it silently erase it and just "break it" instead of voluntarily describing the formatting process.
I appreciate the compliment. *(Except if it is for the Kodachi example, in which, it isn't mine obviously)*.
@gael is it a valid defense scheme? Like dumping the data is not done before asking you the password like you would do on a PC? It's a question not a criticism.
@gael yes but definitely don't forget that this feature will be used more often by mistake than in a real emergency situation😉
@gael Great idea! Everyone crossing a border and being interrogated unexpectedly will thank you.
But such a feature should NOT perform a factory reset because border patrol will probably consider that suspicious. Instead, it should be possible to select specific data to remain on the phone.
Also, it would be nice if the user was able to reset the system's apps using the Ripple F-Droid app.
@gael unless you have strong reasons to believe this matches the needs of your userbase or you think it would be really fast and easy to implement, I'd say there are other priorities
@gael that will land you in jail for destroying evidence. it's different from not giving out a crypto password
Depends on jurisdiction. Do not assume all the world is like US or EU. The ticket describes a specific use cases in specific countries, where people are not legally protected from self-incrimination and are literally beaten to reveal the password, which results in further incrimination of themselves and other people.
@kravietz haven't read the ticket, maybe just extracting some recipes, cat pictures and sms from mom to the empty device would be a better decoy :)
@kravietz i mean.. if i know that there will be rubberhose cryptanalysis, it's better to present a decoy with some really non-incriminating things than a completely empty device.
from what i've heard, some western countries already want you to show them your social media accounts when traveling to them, "i don't have one" doesn't count as excuse as well.
_maybe_ the best thing would be to not store anything which could be used against you on the device but online in another country. just removing the traces of these accounts from the device, while leaving said messages from mom and kitten pictures in place.
it's easy to think that these things have a technical solution, but i fear there isn't one.
> it's better to present a decoy
That's a great feature, and it has been suggested in the original ticket, but way more complex to implement than a simple "panic PIN" wipe.
> the best thing would be to not store anything
If you are on a demonstration against authoritarian regime and make photos of police abuse, it's hard not to store photos or videos if the very point of you being there is to witness them.
What's with the people, taking other peoples phones and getting them locked by trying all sorts of combinations? Could be a very rare case of total disaster. ^^
@gael, I think the better way is to do not erase the device but to open another profile and hide the original one or remove it (there should be a switch in the settings for that). It shouldn't be hard to implement on the original API of Android.
Erasing device is suspicious, but to have a clean profile with cat pictures and games will not get any attention.
I would like to donate 100 EUR (in BTC) for the one who will implement it in this way.
@gael Yes, that'd definitely be nice.
Just have it send out a message to everyone you mark as "ICE" in your contacts list.
@gael it'd be better to have the second pin get you to an alternate partition which gives you some plausible deniability
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!