Subscribe
Share
Share
Embed
Even with encryption and 2FA, if someone steals your logged-in laptop, you're compromised. Michael Altfield created Buskill - an open source USB "dead man switch" - to solve this analog attack vector. In this interview, you’ll hear about the real incidents that inspired it, the advocacy work that fueled it, and the collaborative engineering efforts that turned it into a practical tool for protecting sensitive data.
🔗 SOURCES & LINKS
• https://tech.michaelaltfield.net/
• https://buskill.in/
• https://github.com/BusKill
⏱️ TIMESTAMPS
00:00:00 INTRO
00:01:43 WHAT GOT YOU INTO SECURITY?
00:02:32 WHEN DID YOU GET INTO SECURITY?
00:03:31 WHAT IS A DEAD MAN SWITCH?
00:04:33 WHY DID YOU DEVELOP BUSKILL?
00:06:25 WHEN DID YOU START MAKING BUSKILL CABLES?
00:06:42 HAS THE PRODUCT CHANGED SINCE THEN?
00:07:42 WHO ELSE IS BUSKILL FOR?
00:09:08 WHAT OPTIONS CAN BE TRIGGERED?
00:10:53 IS IT POSSIBLE TO TRIGGER A FALSE OR ALTERNATIVE ENVIRONMENT?
00:12:16 CAN YOU WIPE ON WINDOWS OR MACOS?
00:13:40 LINUX INSTALL OPTIONS
00:14:16 MACOS & WINDOWS INSTALL OPTIONS
00:14:25 CAN THIS BE DONE ON MOBILE?
00:16:39 REAL-WORLD BUSKILL EXAMPLES
00:18:13 BUSKILL COMMUNITY
00:19:17 BUSKILL + OPEN SOURCE
00:19:44 STL FILES + 3D PRINTING
00:20:38 IS IT GOOD TO CREATE IT YOURSELF?
00:20:50 INTERDICTION
00:21:42 EDWARD SNOWDEN ON INTERDICTION
00:23:24 OTHER ACQUISITION METHODS
00:25:13 NOVACUSTOM PARTNERSHIP
00:26:00 BUSKILL + NICHE LINUX DISTROS
00:26:57 QUBES DOM0
00:28:27 UBUNTU & TAILS
00:30:02 DOES BUSKILL SUPPORT CHROMEBOOKS?
00:31:19 GETTING INVOLVED IN PRIVACY + ADVOCACY
00:33:05 HOW PRIVACY IS VIEWED WORLDWIDE
00:36:55 PERSONAL CHALLENGES WITH PRIVACY
00:39:11 GO-TO PRIVACY & SECURITY TIPS
00:40:11 BUSKILL + SECURITY KEYS?
00:43:06 SECURITY THROUGH OBSCURITY
00:45:25 CLOUD-BASED PASSWORD MANAGERS
00:46:09 LIVING WITHOUT A PHONE
00:51:57 CAN IT GET WORSE?
00:53:18 PROPRIETARY BROADBAND
00:58:49 WHAT DO YOU LIKE ABOUT NOVACUSTOM?
01:00:56 OUTRO
🎥 VIDEO
Watch on YouTube
🧡 SUPPORT TECHLORE
Keep Techlore Talks independent & growing: ★ Support this podcast ★
Creators and Guests
What is Techlore Talks?
Techlore Talks brings you in-depth conversations with the experts at the forefront of privacy, security, and digital rights. Hosted by Henry Fisher, founder of Techlore and long-time digital rights educator, each episode features meaningful discussions with the people building, researching, and advocating for digital freedom.
From cybersecurity researchers and privacy tool developers to open-source advocates and digital rights activists—if they're shaping how we protect ourselves online, they're on this show.
Topics include: privacy tools and technologies, cybersecurity threats and defenses, open-source software, surveillance and digital rights, encryption, tech policy, and digital sovereignty.
New episodes released regularly. Subscribe and join the community at techlore.tech.
The top secret slide that came out of the NSA at that time is realistic to think that they are
intercepting millions of packages, routers, computers, and...
Today I'm really excited to welcome on Michael Altfield, who's a software engineer, writer,
security expert, and privacy advocate, who's mostly going to talk about bus kill.
And I did that review quite a while ago, and yes, this review was recorded earlier this year.
We're going to talk about what a dead man switch is in the situations in which,
especially for high threat model people, it can come in handy.
the reasons that he started Buskill, some real-world examples of where it's utilized,
the Buskill community, open-source stuff, 3D printing, and of course, zooming out into more
advocacy and why this stuff matters and why Michael cares a lot about security and different
practical tips for all of you. Without further ado, let's get into the interview.
Hello, everybody. I want to welcome Michael from Buskill. Do you want to introduce yourself a little
bit? Sure. I'm Michael Altfield. I have a website, tech.michaelaltfield.net, where I've been writing
about privacy and information security since about 2007, so almost 20 years now.
Academically, I studied computer science with a focus on secure computing and networking,
and professionally, I worked for many years as a Linux systems administrator,
and most recently, I worked as a lead engineer for the cybersecurity team at a cryptocurrency bank in the EU,
so pretty high-risk, highly-regulated environment.
Currently, I'm the founder of an open-source hardware project called Buskill,
which designs open-source software and open-source hardware for Deadman Switch,
which is a USB kill cord with a magnetic breakaway in the middle that you tether from your body to
your computer. Similar to kill cords on jet skis and treadmills. If you're separated from your
computer then your computer will either lock, shut down or wipe its encryption keys. So right now I'm
the owner of a company Allshake International that sells these Busco cables. Nice and then what kind of
got you into the security space in the first place? How'd you get here? Computer science has always been
pretty important to me. I always built websites as a kid just like the internet. I always kind of had
had a passion for the internet as like a kind of egalitarian bi-directional communication system
as opposed to like a unidirectional TV sort of cable system. And so, you know, I built websites
and I guess I learned about HTTPS and I learned about how to protect those services and privacy,
just security. They were always very important to me, especially when I realized that a lot of the
early internet services just did not have security built in mind. And I know that I could send an email
to my friends, my family, my lovers, and anybody else could read those emails, especially when I
for doing those sorts of things to other people. I wanted to learn how to protect myself and
how to teach others to protect themselves.
Yeah. And then what timeline was that? Was that before encrypted email was a little bit
more normalized?
So PGP existed. I think I learned GPG when I was like 17 years old, probably sometime around
2008. So I had this, there was this fun thing that I did when I was in the dorms where I set
up like a computer monitor in a quarter of the room that just ran, you know, ran backtrack
and it just watched in real time all the photos that everybody in the dorm was viewing on Facebook.
This was pre-Snowden. After Snowden, they started doing HTTPS by default. So this is
before Let's Encrypt even. So Facebook by default, if you typed in facebook.com in your browser,
press enter, you would get on the HTTP website and then anybody else in that same network would
be able to view your traffic. Yeah, no, it's kind of crazy how far things
have come. And I know that attacks are still more sophisticated and it's always a cat and
mouse game, but it's nice that those basic things aren't a problem anymore for most situations.
What kind of led to the development of bus kill? And actually before we get into that,
do you mind just giving a basic explanation to what a dead man switch is?
Sure. A dead man switch is something that you connect usually to your body, to a machine.
It has a fail-safe such that if you are disconnected in any way, then the machine will turn off.
So this is a common thing, for example, for very high-powered, dangerous machinery.
And again, like I mentioned, many people have encountered this at a gym when running on a treadmill.
So if the speed is too fast and you fall off the back, then you have a little cable that you connect your body,
and it will turn the motor off so that you don't get thrown off the back of the treadmill.
Same thing for jet skis and boats.
You have a dead man switch that you connect to your body, to the motor.
And if you, for some reason, fall out of the boat, you don't want to be in the middle of the ocean with your boat.
Just keep going. So it's the same thing. It turns off the motor.
Yeah. And so this is the bus kill cable itself. It's very similar.
Same idea. Just has a carabiner that you connect to a loop.
And then this end connects to your computer.
And again, the simplest action is it locks your screen, but it can also turn off the machine and as well wipe the encryption keys.
As to answer the first question, why did I initially develop it?
I was traveling. So I think a common use case is travelers. I've been a digital nomad for the
majority of my life, majority of my career working as a Linux systems administrator, traveling around
South America, Asia, North America. And I always felt super vulnerable whenever I was working. So
I would frequently stay in just like cheap hostels with terrible Wi-Fi. And I would have to travel and
commute to either a co-working space or a cafe or a library to get good internet enough to be able to
do my job. And I found myself in those public spaces, logged into online banking or logged into
the AWS console for a company that has, you know, as a systems administrator, I have root access to
some systems. And if somebody stole my laptop after I had authenticated, of course, I used full
disc encryption, I used two-factor authentication, but after I've authenticated, if somebody steals my
laptop, then in that moment, especially with the help of a rubber ducky, they could cause an immense
amount of financial harm to me or my employer. So I came back to the United States, I was living in
York City and in 2017, that's when I built the first buskill prototype. It wasn't a product,
it wasn't something I was intending to sell, and it was made with this. So it wasn't until a few
years later I came up with the name Buskill, and I posted some links to Amazon for how people could
buy this. This was literally the only USB-A magnetic breakaway cable adapter on the market.
It went viral, which is surprising.
Front page on Hacker News, all the journalists covered it.
And then everybody bought these out.
Like, literally, they went out of stock.
Nobody could buy these anymore.
People were asking me, how do I build these best-able cables?
So that's when I realized that, because there was no other,
well, actually, I contacted the manufacturer,
and they told me that they were end of life,
so I couldn't even resupply Amazon.
So that's when I reached out to Crown Supply,
and I started making these cables.
When did you start making them?
What was the first year?
So I built the first prototype in 2017, and then I posted it out in 2020.
And then in 2022 was when I raised $20,000 through crowdfunding, and shortly after that,
started manufacturing them.
Awesome.
And are the ones that you're selling today the same version of the ones that you were
selling originally, or have there been any developments?
There's only been one development, that is from a prototype that was manufactured by some
other manufacturer, where I was just like, buy this, buy this, buy this, and then build it
yourself, to this, which is the one that I make.
And we're doing a third production run. We just sold a bunch of cables to a really great company called Nova Custom. And that gave us the funds to be able to initiate our third production run. And we're sticking with the same design. We've gotten really good feedback. They're pretty durable. They use very durable magnets and people seem pretty happy with them. So we haven't felt a need to change the hardware design.
Nice. And so it seems like I understand where this comes into play for somebody who might be a journalist or someone who's working with really sensitive information or even having to secure whatever information their employer might need to keep safe.
I think that your examples of traveling around a lot make a ton of sense.
But can you think of any other use cases for somebody who might just travel their coffee shop and get some work done?
Do you think that there is a selling point for them to use a product like this?
I think there is a limited niche market for this sort of thing. It is people who are more high risk
or dealing with sensitive data. Obviously, everybody has sensitive data. You know that the whole
the whole notion, I have nothing to hide, like, well, of course, you do your credit card number,
don't you have that to hide? So if you're logged into Amazon, even, like, the amount of financial
damage that they can do is not that significant compared to somebody who's doing cryptocurrency
trading from a cafe or something. So the level of risk does vary. I think everybody could benefit
because at some point, somebody has, well, I guess it's possible that some people are completely unbanked
and they literally do not use any financial currencies online. And those people maybe,
yeah, it's not so beneficial for, but I really do think most people could benefit somewhat. It's
not the type of device I think that most people would use every day. But even me, I don't use my
busco cable every day, but several times per year, specifically when I'm dealing with cryptocurrencies,
or online banking or dealing with my taxes,
when I have a ton of documents open with my social security number,
that's usually when I pull out the buskill cable.
Nice. And so let's dive into kind of the flexibility of the cable
because you mentioned several times that you can change its behavior if it's triggered.
So if you pick up your laptop and then the magnet breaks,
you say you can either wipe the encryption keys, you can reboot the device, etc.
So what are the different options that can be triggered when that's severed, essentially?
Yeah, so if you use Linux, it's anything because it's scriptable.
You can, the original design, I got some criticism when I first published about Buskill because it was a DIY guide for Linux hackers like myself.
It was never intended to be easily accessible.
And people said, oh, who actually runs Linux laptop?
Maybe many of your viewers do.
I understand everybody else doesn't.
So I spent a lot of time between that when the press picked it up and I actually started manufacturing it to lower the barrier of entry significantly.
I spent a large amount of time trying to make it more accessible.
And now we have a GUI app that runs in Linux, Windows and Mac OS.
And in that app, there's two options only.
And this is very intentional.
You can lock the screen or you can shut down.
Sometimes people get very scared, rightfully so.
When I say self-destruct wipe your encryption keys,
there's a huge potential for data loss there.
That is something that we intentionally raise the barrier of entry on.
You cannot do that.
Well, first of all, that only works for Linux.
The self-destruct Lux header shredder trigger only works for Linux.
It only works for Lux, and that will never be an option in the GUI.
You have to edit on the command line to change that.
And if you go down that route where you are setting up something on the command line using a UDev rule in Linux, you can run anything.
You can write your own script and have trigger whatever you want.
We've had some people, for example, interested in sending some sort of query to their server to wipe their server if their busful cable ever triggers.
So that option is certainly, it's more flexible on Linux, but on Windows and macOS, there are currently only two options.
Lock your screen and trigger a soft shutdown.
Nice. Those all seem like very cool use cases.
And the flexibility seems awesome.
Has anyone out of curiosity set up some kind of false environment where if it's triggered, it might log into a different user account with false data?
Is that possible?
Just to kind of test the flexibility of it.
Yeah, I mean, what comes to mind is Veracrypt hidden.
I don't know how you could do that because you'd have to like reboot.
I don't think you can do that live, right?
You'd have to like reboot into a new environment.
And I don't know how you could make it survive and remember that you want to go into the hidden
volume after reboot.
I think you would probably have to make some changes to Veracrypt software.
I don't know if it's pluggable or expandable or something like that to make something like
that work.
That's an interesting idea, though.
Could you maybe partition a drive and boot into a different partition?
Is that something you could trigger?
Well, I don't know if UEFI or BIOS works like that.
Like, I don't know if you can say before you reboot, please reboot into this device.
Got it.
Got it.
Interesting.
I was just curious.
It was an idea because I know there's like decoy login passcodes that you can use on some devices.
Yeah, like a direct password.
Yes.
Yes.
That's the word.
I was just curious.
It's really cool to offer that flexibility.
Can you, I assume you can't have that on Windows and Mac OS, though, those unless, and I guess
maybe this is good clarification, because you said there's only the two options on Windows
and Mac OS, which is shut down and lock out of your user account.
Can you still do the white one, or is it just not possible at all in those operating systems?
It is not possible at all.
The next one that I would like to do is Veracrypt, because once you get Veracrypt, I think that
works in all platforms.
So I would like to, it's on my backboard, it's on my to-do list. And if anybody would like to help with that, we did have a volunteer start to work on that. I think they got stuck on, you know, these operating systems sometimes don't like you to run sudo.
You know, like if you want to overwrite the header and Veracrypt also has a footer, then you need to have root access.
And that's a little bit tricky, especially like obviously you can escalate your program where it pops up a pop up and says, please type your password.
But like if your door is being battered down by a battering ram and a bunch of bad people are coming with guns to take your computer away from you, you don't really have time to authenticate with your root password.
So I haven't delved into that yet, but the code is halfway written, I think, for a vercript
trigger.
FileVault would be the next one on the list.
And my experience developing on Apple's ecosystem is incredibly painful, to say the least.
So, yeah, that is what would be required to make it available on those systems.
Nice.
And then on the Linux front, I assume that you just have a downloadable, executable or downloadable DMG for macOS or package.
But on Linux, what's typically the main way that people install there?
So we've got two options.
If you have a Debian-based system, then you can simply do sudo apt-get install plus kill.
It downloads fast.
It's in the repos.
It doesn't even have to download an executable.
It's just Python directly executed with Python.
So the source code is very safe, very secure.
That's the best option if you have a Debian system.
Otherwise, we have an app image which should work on everything else that's cryptographically verified.
If you want to verify, if you want to know how you can verify that cryptographically,
go to our documentation, docs.buskill.in.
Nice.
And then was it a correct assumption with how macOS and Windows are done?
Yeah, that's.dmgino.exe.
Perfect.
And then I assume there's really no easy way to do this on mobile devices.
Do you mind explaining why?
or maybe I'm wrong. It's actually more possible than you're suggesting. So Buskill originally
was just a UDEF rule on Linux. From there, after I published that, some guy who was just
anonymous on Twitter ported it over to Windows, which is awesome, within a few days or a couple
weeks. But that wasn't very flexible. Somebody else made another version of Buskill. But then I kind
of did a rewrite at some point, which is what we currently have with the KIVI framework in Python.
And I specifically chose that because it supports Windows, Linux, Mac OS, iOS, Android, and Raspberry
Pi. I don't know about the Raspberry Pi, but the point is that the GUI components, most of the code
should already be fairly straightforward or over. The next part, which is my biggest concern,
is how do you then actually implement a lock screen
or a disk wipe or a shutdown?
It's been my experience that Google and Apple
doesn't let people own their devices, right?
They don't like users doing these advanced functions.
So I haven't looked into it too much.
If any of your viewers are experts
in developing for mobile platforms and you know better,
please let me know.
but I'm afraid that I would end up playing a cat and mouse game.
And my biggest fear is giving an assurance to users that is not valid,
such that they rely on it.
Some people, if you're a whistleblower or a journalist or an activist,
human rights defender, your life may literally depend on this technology working for you.
And if Google pushes down an update that prevents apps from being able to lock their screen
or wipe the encryption keys or something like that,
and you're expecting it to work, but suddenly your phone updates and it no longer works,
that could cause real serious harm.
I don't see that being as much of a problem on desktops.
But with mobile, I foresee that as a possibility.
Again, if I'm wrong, please correct me.
But anyway, it's possible.
It's not our highest priority though right now.
Yeah, do you mind?
There's a lot of questions that stem from that,
but maybe the first starting point is,
do you have any, I guess, real world stories
or situations that you're able to cover
about journalists that you know who've used Buzzkill?
You don't have to use names either.
if you're not able to.
Well, I mean, I make an intentional effort
not to find out who my customers are.
We have a website that's on the QueerNet.
We also have a website on the DarkNet.
You can go to our.onion site.
You can pay with Monero.
We make it a very intentional, strong effort
to let people purchase it anonymously.
And a lot of our customers take advantage of that.
I can tell you that when I,
the most visibility I had into my customers
was when I did the crowdfunding.
And in that case,
some people had accounts with crowd supply
and I could see the business names
and some of them were penetration testing companies.
So I don't know too many of that.
I have heard from some activists.
I think in the early days,
back when I originally published it,
some of the people who bought these out on Amazon,
they were activists.
But yeah, that is a question.
It's a very good question.
It's something I get a lot,
but it's something I will probably never try to figure out
because it's just best for my customers.
Yeah, I guess maybe what I was maybe wondering about
is not you getting insight into what they're using, but more so them going on.
And I know it's probably not good OPSEC, but I have seen some journalists and activists
maybe cover one or two tools they use.
And maybe if they just went on socials and said, oh, like we use bus kits for our journalists.
But they probably also don't want to announce that either.
So I was just curious if you've seen any kind of publicity around that.
Now to the community, it seems like there's been a lot of community involvement.
What are some of the, did that surprise you at all?
and what were some of the most, I guess, noteworthy community contributions?
Yeah, I mean, like I said, after I published, of course I was surprised.
When at FrontPage, I had journalists from all over the world in like 10 different languages
messaging me and interviewing me, asking me about this thing.
That was a huge surprise.
And then, of course, with that going viral, a lot of people started contributing.
Like I said, somebody poured it over to Windows.
They didn't even contact me.
I just saw on Twitter that somebody had made a Windows version of it.
That was cool.
Certainly surprising. One of the greatest contributions we have is a, I mean, so this is
an injection molded version. You'd have to cut it open to verify the integrity of it. I'm not
incredibly happy about that, but it is the lowest barrier of entry. Again, like making this thing
accessible to journalists who are not tech savvy was very, very important to me. But from the very
get-go, I wanted a 3D printed version so that people can make it themselves, wouldn't have to
worry about the risk of interdiction.
And Melanie Allen has done a great work there.
She has been a wonderful contributor to Buskill.
- Nice, and so both the hardware and software
are open source, correct?
- That's correct.
Yeah, you can go on to, so github.com/buskill.
You can find all our repos.
The most important one is buskill-app,
which is the application, the KV application
I mentioned with the GUI.
And then there's another one for,
with both the STL files you need to print it,
if you want to make your own or also this as well, the CAD file, the STL files for this is also on that repo.
So do you mind explaining STL files as someone who doesn't do 3D printing?
I assume that's just a common file format that you can use to print at home.
Yeah, it's a file format that describes 3D objects.
So that's the type of thing that you would throw into.
So the sources for that are OpenSCAD, and I think I might have used FreeCAD.
So the 3D printed version sources are OpenSCAD,
and this version I used FreeCAD.
So those are two different pieces of open source software
that you can download to the objects.
And then you can export from there,
which I guess is somewhat lossy, an STL file.
And then the STL file is what you would use.
It's cross-platform.
That's what you would use to import
into your 3D printing software.
- Okay, so let's say I'm...
I'm an enthusiast. I want to build it myself. And perhaps even, would you argue, that's a good
supply chain attack mitigation to create it yourself at home, perhaps?
Yeah, absolutely. That's exactly why we do that. So for your listeners who aren't familiar with
interdiction, this is a technique that is used commonly. The best insight I had into interdiction
was some years ago when the CIA had a cyber warfare arsenal of zero days that they held.
Rather than communicating them to the manufacturers like Cisco, which would have kept us all safer, they kept them secretly.
And then they got hacked and they got leaked.
And one of them was called the Angel.
This was a hack on a Samsung TV that got a lot of press because it allowed them to remotely turn on your camera and watch you from your TV.
So people didn't like that.
But a lot of the news coverage talked about the way in which the CIA was able to infect these devices required them to first one time insert a USB drive into the device.
So people said, oh, well, like the CIA isn't going to come into my home.
And that was true.
And there's a really good there's a really good interview that Jeremy Scal did with Edward Snowden on this.
And people go, oh, well, the CIA is not going to be breaking into my house.
Right. And that's actually true.
What they do is they wait for when these devices are being shipped to you, when you order them on Amazon or whatever.
They go to them at the airports.
They get the box.
They use a little hairdryer to soften the adhesive.
They open up the box.
Then they put the USB stick in it.
They seal the box back all nice and perfect.
And then they ship it on to you.
And now your router, your computer, your TV is hacked.
This is a very routine thing that happens.
They don't actually go into your home.
These people will instead install these special rooms in airports.
And when we order from Amazon, that's when they install the implants.
So this is called prediction.
And I believe the slides, the top secret slides that came out of the NSA at that time, I think it was from 2003, the slides were, they were released in 2013.
They were boasting about them doing, I think it was a little shy of a million of these interdiction attacks per year on people globally.
And they were boasting about how they wanted to increase it beyond a million.
So now, a decade later, two decades later, it's realistic to think that they are intercepting millions of packages, routers, computers, and interdicting them.
And of course, it would be a tasty target for them to go after people, human rights defenders, journalists who are buying busco cables.
So for us, it was very important to provide a way for people to be able to print their own.
Does that answer your question?
No, it does.
And I think that's really important, I guess.
So I'm guessing, and this is really hard to give personalized advice for different situations,
but my assumption is that probably the least safe thing that someone in a situation can
do is order online with their full name to their address, because that signals you're ordering
something from, it doesn't matter if it's an iPad, a Linux laptop, or a buskill.
If your name is attached to it, then there's probably a way for that to be targeted in some
way. I assume the next best thing is to buy it yourself from a store, like going to an Apple store
and paying cash for a device. I'm assuming it's less likely that anyone can be targeted via that
avenue. But I'm sure the best case scenario, like you said, is just to build it from home. Are those
all probably good assumptions? Those are the different levels. If you build it yourself,
like God help you, that is hard. I haven't even done that. Melanie Allen is an expert. You can find
stuff on that. But be aware that is very difficult. So we do try our best as we can. I mean, we have
to ship Adams through the mail, right? There's no getting around that. We have to put a name and an
address on a package. We need to get an email address. But I think we do as best as we can. So
if you want to avoid interdiction, buy from our.onion site, use Tor, use Tails, use a fake name,
use the name of a neighbor, of a friend, of a family member, ship it to them, use an anonymous
email address. All of these things are fine as as long as you know in some countries if you use the
wrong name that they won't deliver that's not an issue in the United States but in Germany for
example if your name doesn't actually match what's written on the door they will not deliver it.
So you know you have to be aware of those sorts of things but yeah we do our best using these tools
Tor and Monero to be able to allow people to avoid interdiction but as you said yes you can buy it
in store. I'm very happy that we now have I've yet to find a single brick and mortar in the entire
States that sells privacy hardware. If anybody knows of one, please let me know. I'd love to
reach out to them. But Europe is full of them. So we now sell out of brick and mortar at proxy
store in Leipzig, Germany and in the Netherlands. Nova Custom also through a special collaboration.
They now allow people to pay in cash, go to their office. It's not even a retail store. You have to
make an appointment beforehand, but you can go to their office, pay with cash and pick up a bus
cable there. And that obviously is the best way. Super cool. And we also are going to be interviewing
the main person behind Nova Customs. So watch out for that. And I think they do mention the
Buskill partnership as well there. So yeah, he's nice. He's really great. That's really good to
hear. And I didn't I saw I sent you an email hoping saying that hopefully they send you a laptop. And
I didn't realize I watched your video the other day seeing you hold it out. That was really cool
to see. Yeah, yeah, no, it's been really fun to play with. And actually, what would be really
awesome is to, and this is actually a good question to get on topic, because they sent
me a laptop with Cubes. So what's the compatibility like with Buskill and maybe more niche operating
systems like Cubes, Tails, Hoonix, etc.? Yeah, great question. So as I said, I first built
a Buskill cable with this thing back in 2017. I was using Cubes at the time. So from the
ground up, the first day running, before I even started making these things to sell to
other people, yeah, Cubes was supported. That's what I was using. It is, of course, a little
complicated. I think if you're using cubes, you're probably okay using the command line. You do have
to use the command line because the way it works with sys.usb, you have to then use some other cube
to copy the files into DOM zero because you do need some files to live in DOM zero. And you can
read very easily the files you have to install. It's like less than 50 lines. You can very easily read
them and understand them. For people who aren't familiar with cubes, I'd say that, and correct me
me if I'm wrong. The best way to describe DOM zero is kind of like the manager of everything
else that you do on cubes. It's kind of, I'm still trying to figure out the best way to describe
DOM zero to people who haven't used cubes. Maybe you're better at this. Yeah, I write for a pretty
technical audience. Sorry. The hypervisor is the appropriate term. But yeah, you're right. The
manager, it's the thing that has the most privilege. So like, if you gain access to this thing,
then it can have access to all of your other VMs, which are supposed to be isolated, right? So you
sure you don't install software in DOM zero. You don't give internet access to DOM zero.
Actually, that's not true. But you try to minimize as much the surface area for attack with DOM zero.
Yeah, hopefully that makes sense. It's kind of like a super, it's the equivalent in my end,
if you use Windows, and you have an administrative account, and then a standard user account,
you want to do as much as you can in a standard user account to maybe prevent admin access being
abused and the admin account kind of manages the guest account the way cubes is run is all through
virtual machines and dom zero is kind of controlling the virtual machines so hopefully that's yeah i'd
say that's that's right and that's kind of on steroids too because like you still have to use
the administrator account fairly commonly like on windows like if you want to install software but
like you can come administrator inside the vms and then you don't have that much power like you're
able to do administrator action in cubes such that you don't actually need to become administrator on
DOM zero. So you have to use even less than you would on Windows. But that's generally good way to
put it. Sorry to cut you off. If you don't mind. Continue. I just wanted to make sure people weren't
lost. Compatibility for cubes and tails and all these devices. Yeah. So cubes was from the get-go
what was originally Buskill was designed for and then ported. Actually, so I kind of lied. In the
original article that I published, I published it for an audience of Ubuntu. So I ported it to Ubuntu
for the general audience because I knew that not that many people use cubesOS, but that was originally
what it was designed for. And then with Tails, that was pretty easy. So like if you, so Tails has a
built-in, you don't have to use the app, the bus field app in Tails at all. Tails has a built-in
emergency shutdown sequence such that if you just yank the drive out of your computer really fast,
it wipes its RAM and powers off super fast. This is a really great feature, but it's, you know, if
If somebody batters your door down with a battery ram,
can you actually yank this thing out?
Will you have the presence of mind to yank this thing out
before they grab at you and steal your laptop away?
So that's where Buskill actually comes in handy.
You're able to connect your Tails USB,
not a specific Buskill USB,
the same USB drive that you're using with Tails,
because again, Tails is the amnesic incognito live system.
It's a live system that runs from your USB drive.
So if you're using Tails,
you're necessarily using a USB drive already.
If you instead of plugging into your computer directly, you plug it into your buskill cable and connect that to your body.
Then if somebody snatches your Tails computer away from you, then it executes that emergency shutdown fairly effectively.
So you don't have to worry about whether or not you'll be able to yank it out at time.
Tails, Cubes, and then yeah, Windows and macOS Linux are all supported with the GUI.
Super random.
Does it support Chromebooks?
I haven't touched Chromebooks because they seem pretty locked down, not very useful.
Good question.
Can you run Python on a Chromebook?
I don't know.
There's probably a way to do it.
There's a way to do a lot of things.
People even install Linux on Chromebooks, depending on the model.
But it's okay if we don't know.
If you can run Python interpreter and if you can install, if you can download the Python libraries, then you should be able to use.
Then the question is the triggers.
You should definitely be able to open the app.
I don't know if Chromebooks use X screensaver or some of the other locked screens.
It should support shutdown.
But yeah, anyway, if there's any watchers who have a Chromebook, please try it.
Let me know.
And if it doesn't work, open a ticket on our GitHub, and I'd be happy to look into that.
Well, I need your help, though, because I don't have a Chromebook.
Yeah, just a quick search.
I don't see anyone who's looked for this.
So I don't think it's going to be a super popular search term, but I was just curious.
Yeah, I guess just to zoom out a little bit in terms of like overall privacy and maybe tailoring this more to the average person.
What got you involved into privacy and advocacy in general?
Again, I mean, I was I was super passionate about the Internet.
This egalitarian method of bidirectional communication and a lot of the early protocols did not have security in place.
You know, like I would like to be able to send my credit card to my lover and like say, hey, you can pay with dinner for this.
You can pay for dinner with this.
Something like that.
It shouldn't be, we shouldn't have to think especially about what PII and what is not PII.
Like we should just be able to use tools that we can send whatever we want because we know they're secure.
And I don't know, for some reason, that was just always very inherently important to me.
Yeah. And then how do you think the space has kind of evolved since you felt that way?
Are you happy with how things are going now in 2024, almost 2025?
Or are you?
Well, there's, you know, there's some legislation anti-encryption that I'm certainly concerned about.
I would love to see like constitutional protection for encryption.
Like we have, you know, we have like a Bill of Rights.
It would be nice if we would add to the Bill of Rights that it's not allowed to block encrypted apps.
But, you know, at the same time, pre-Snowden, when I was ringing on the bell saying,
people can watch your Facebook, people can read your emails, I was the tinfoil hat paranoid person.
But after Snowden, we realized that, yeah, this is normal and Let's Encrypt came out.
Facebook started turning HTTPS on by default.
So yeah, certainly things have changed a lot.
I'm very happy about that.
But we can't let our guard down because it's always a risk that we'll lose the freedoms that we have.
Yeah, out of curiosity, because it sounds like you've done a lot of traveling.
What's been your opinion of how people view privacy and digital rights between different regions that you've been in?
It varies a lot.
I would say that a lot of people just do not care.
A lot of countries have a lot of requirements for you to give your PII in very insecure ways.
And most people just don't care.
It's pretty sad.
But has there been any place where you felt it was better?
Yeah.
Surprisingly, the U.S. isn't that bad.
There certainly are problems in the United States, but also Germany.
Germany has some very good laws.
For example, if you do Google Street View,
like maybe your listeners can do this as an experiment,
just like drop a pin somewhere in Berlin
and like drive around with Google Street View,
you'll see whole blocks are just blurred out.
Like whole buildings, not like somebody's faces
and a license plate, the whole thing just blurred out
because they have some very strict laws
about cameras and public spaces there.
I didn't know that was why.
When I was in Berlin,
I was actually trying to locate some areas
and that was a massive issue of mine.
So I can actually speak to this.
But definitely experiment on your own and see what it's like.
Are there any other locations you've seen like Germany that seem to have a few more, I guess, forward-thinking privacy views?
I'm sorry to say that the majority of my experiences have been on the other side of the spectrum where I was just surprised that the culture did not value privacy.
Yeah.
Why do you think Germany is like that?
I've seen a lot of, I know, I interviewed Hannah from Tudor, who's a German company, and she definitely cited a lot of history in Germany that would result in that.
But do you?
Yeah, exactly.
It's the Stasi.
Yeah.
That makes sense.
Regarding privacy, I feel like something that a lot of people don't consider.
So people, usually the people who say, I have nothing to hide, are also being extremely inconsiderate.
For example, when they hand over their device to authorities, because it's not just your device, it's not just your information on your device.
It's also the information of other people on your device.
All your communications.
But in order for me, I think ethically, for me to hand over my device with my own PII, a device that I own, I would need to get consent from every single other person I've ever communicated with.
Because you don't know what their situation is.
Even if you're just sending a message casually to somebody or even a missed call, that could be a refugee.
That could be a domestic abuse survivor.
And you could be literally putting their life on the line.
And I feel like we have a common defense where we describe how, of course, everybody has something to hide, but we don't focus a lot on other people's data and how you are responsible for them and how irreprehensible it is to give up their data as well.
Have you heard of Kerry Parker from Firewalls Don't Stop Dragons?
Oh, I have not.
He runs a podcast and he also writes a book called Firewalls Don't Stop Dragons.
And I'd say the target demographic is just very beginner people.
The book is meant for someone who's never touched privacy or security and just wants to learn the basics.
And I think the first, the book starts with this concept of privacy isn't about you, it's about we.
And I think it's a really important topic because it really shows the interconnectedness of if you're not communicating securely, it doesn't just impact you, it impacts everybody else around you.
If you're enabling iCloud backups without end-to-end encryption, even if you're using end-to-end encryption, you might still be, you know, exposing someone else's messages to Apple, even if they're not even doing backups.
So it's a very widespread problem. And I think a lot of people in our community, even, it's very common for people to only see what they can do.
And I think that's super important because most people don't even do that, but they always forget the more network effect of it, too.
So I'm really glad that you brought that up.
How's it been with, I guess, people in your life?
Are they receptive to advice or the things you want to do?
Is there any challenges that you commonly stumble on?
Yeah, a lot of, I have mixed, right?
I do lead operations security training courses, and a lot of people are very receptive.
If somebody tells me that they want to attend one of my, like, one hour long operations security
training courses, then things are pretty good.
but there are other people that just don't care at all and they think i'm paranoid and you know like
i i can cite the same thing like that we we have it's it's not wearing a tinfoil hat when you're
reading the top secret documents that the nsa released which they don't refute like if you
read what happened with in the church committee like it's not tinfoil hat to be aware of these
sorts of things but some people i don't know for some reason they just close off their ears
and it's not even that they don't care,
but yes, I do have some people that think
that I'm just completely insane.
Yeah, it's going to happen.
I haven't stumbled on it as much as I thought I would,
but I think it's one of the most difficult things on my end.
People almost think I'm different than them
because of the channel, right?
Because it's something that we do
and it has popularity.
For some reason, that makes it more legitimate
in their view, which I think is really malicious in a lot of ways. Because ultimately, like what
I'm talking about, I think if a lot of other people said it, they would, and not even in the
context of you, but like if my friends share what I say, but it comes from their mouth,
it comes across as differently as if something is a little bit more established. And in that case,
I think that what you do with buskill is very legitimizing for your points and what you're doing.
And that might actually help you in some ways, but it shouldn't make a difference. Because like
you said, the information is out there. It exists and tuning it out doesn't really help anybody.
Well, I do want to say that I do appreciate skepticism. And it also speaks to your credibility
that people take what you say more truthfully. I guess to kind of start entering the final stages
of the interview, I kind of wanted to just get some of your thoughts about maybe people listening.
I always kind of like to ask people, or I guess not always, it's a new thing that I'm trying to
ask people, like, what are some of your go-to privacy tips and security tips for people who
might be listening to this for the first time? Maybe they just read about Buskill and they
entered this interview. What do you normally suggest to those people?
Usually, so in my operations security training course, it takes about an hour. It's pretty long,
but I always tell people that if they get nothing else out of it, if their eyes are going to roll
back in their heads, I always snap at the password section and try to get their attention to say,
If you get nothing else, use a password that's longer than 20 characters.
Use a unique password for every account.
And then, of course, I follow that up with, yeah, that's insane for me to say that you have 100 accounts and you have a unique password that's 20 characters long for each account.
That necessitates KeePass or some password manager.
So I would say the most important thing is, yeah, to protect your accounts with strong passwords, random passwords generated in KeePass.
And then the thing after that, of course, is do factor authentication.
Really cool. Actually, this is super random. Speaking of keypath, I just remembered that some keypath clients integrate with security keys.
Has there ever been a consideration to add some kind of FIDO integration with Buskill so that when you plug it in, it also functions as a security key?
You mean to unlock your computer?
To unlock or actually function as like how a YubiKey would on websites.
Well, so there is people who have already done that.
There are people who use UB keys for buskill
because what the device that,
what the USB device that enumerates in buskill is
does not matter.
I mean, you can buy a cheaper,
this cable costs $100, sorry,
this cable costs $50,
and then the whole kit,
which includes the rest of this, is $100.
But if you want, you can just use your own device.
And some people do that,
and I have seen some blogs on the internet
of people using YubiKeys.
As for unlocking the machine,
I wouldn't condone that.
I don't know if it's possible.
I think it might be.
But in general,
I think it's an abuse of hardware security keys
to go passwordless.
I think hardware security keys should be used
for two-factor authentication.
And unfortunately, I do see a lot of rollout
where people just use it as one factor.
of so buskill isn't the first thing in the world that can lock your computer when you step away
before buskill there's a lot of radio based solutions there's a lot of apps you can download
such that uh when you're when bluetooth from your device to your phone uh is disconnected it
automatically locks unfortunately that's extremely insecure because most of them are designed to
unlock a computer when you return that's just terrible that doesn't i mean okay everybody has
their own risk models. Everybody has their own cases that they need to protect against. But
buskill is not designed for those sorts of people. Also, like radio, Bluetooth is notoriously
flappy. So there's a very long delay to cover false positives. So it's going to be delayed.
If somebody steals your phone, they'll be able to unlock a computer. If somebody gets your Yubi
key, like they could just steal your Yubi key once they steal your computer and plug it in. That
appropriate for buskill. Right. Okay. But as a 2FA method, it is possible because that's how I use
my YubiKey is as a 2FA method. So theoretically, someone can use the YubiKey to use it as MFA
when they're logging into a website and it's still integrated with buskill at the same time.
Absolutely. Yeah. If you're asking about unlocking your computer, that's different. But just for
logging into a website as you normally use it, of course, yeah, this buskill cable is basically just
a USB extension cord with a magnetic breakaway in the middle. So you can use it like if you wanted
to, you could use a webcam with this. And then when the webcam is disconnected, bus kill will
still trigger and the webcam will function normally. A UV key as well. What's the balance of, I think
this is a situation where security through obscurity might be somewhat important. Do you think that it
might jeopardize someone if you see someone in a cafe with a bus kill that they might be more of a
person of interest than if you're just a regular person at a cafe.
For the person that recently commented on slash R slash netsec, somebody said that like buskill is
no longer a useful tool because everybody knows about it. I disagree quickly. I mean, this thing is
like, it's not obvious at all. It looks like a power cable or any other USB cable. It's just a
black cable that runs down. This is connected to your body. So like in your pants, it just looks
like a key ring. No, I don't think that Buskill is obvious that you're using it. I mean, the only
thing, if you look very, very closely, you can see that it says Buskill in the injection mold print,
but like, you would not be able to see that. You could put stickers on it. There's ways to
obfuscate it. But I guess, aside from just, let's say it was obvious, let's say you went with a clown
design, it was all rainbow and it, you know, Pennywise was on the end of it. Would that still
pose any like additional risk? Do you think? Because in my view, I could see it go either way.
I think that the device itself is almost legitimate enough where what's someone going to do,
even if they know you have it, if they take your laptop, it's still going to trigger some kind of
shutdown. Yeah. The first question on our FAQ is like, what if somebody else buys a buskill cable
and they insert it, it doesn't matter.
It's going to trigger even if there's two,
if it's like a second bus cable
and one of them gets disconnected,
it's going to trigger.
Any USB removal event is going to cause bus call to trigger.
So again, this is why we go with a cable
instead of these radio or Bluetooth-based solutions
because, of course, you can do radio jamming attacks,
you can do a replay attack
if you're using a wireless solution.
This is a wired cable.
Even if they get a knife out and they cut the cable,
that's going to cause a USB removal
because the connection is set.
So, no, it's really hard to imagine a way in which they would be able to take advantage of the fact
that they know you're using a bus code cable. Got it. And then, sorry, to go back a little bit more
to advocacy. So, you recommended password management as kind of a go-to step for a lot of people. So,
it sounds like you recommend KeePass. Are there any more, like, cloud-based password managers,
like more traditional ones that you like?
I'm not an expert in cloud-based password managers.
I think that using a password manager
is better than using a password manager.
Certainly, if you're using a good open source one,
but I would caution people against it.
I mean, again, better to use something than nothing.
But if you can get away with just an offline key pass manager,
I would recommend that.
And then if you have issues with syncing, you can use a third-party tool like SyncThing
to make sure that your password manager is in sync on your multiple devices.
Nice.
When we hopped on this interview, you mentioned you don't have a phone.
Do you mind diving into that a little bit?
Yeah.
So this is actually, if you check on Nova Customs forms, I recently asked the founder there
if they would be interested in the future of designing a phone-like device.
I think I phrased it as a tablet but the size of a phone.
So my biggest fear, my biggest concern with the surface area of modern day phones is the broadband processor. This is a, like, by FCC laws, right, like if you, and BESCLE as well, like, we had to put this USB drive inside of a special test room and make sure that it wasn't emitting radio frequencies that were in violation of the FCC laws and UK regulations and all of that.
These things are expensive. Broadband processors typically must comply with these requirements,
and as a result, they're closed hardware and closed software. These processors are similar to
the Intel management engine in that they're a separate processor, but it's worse than IME in that
they can communicate to cell towers, and cell towers are everywhere, unless you're living inside of a
Faraday cage. They can receive commands wirelessly from, you know, from cell towers that are ubiquitous
and exfiltrate data from your device
or download malware's on your device.
So there's a really great...
I don't know, can I recommend another podcast?
If your listeners are not familiar with Darknet Diaries,
check that out.
There's some really great episodes
in which they interviewed Citizen Lab.
Citizen Lab is a Canadian NGO
that has done some amazing security research
into one of the most ubiquitous pieces of malware on phones called Pegasus,
sold by an Israeli cyber mercenary company.
And almost, so like they can hack your phone often through WhatsApp
using zero click vulnerabilities.
So obviously like don't open attachments,
but like they have vulnerabilities where they sell to some very gnarly,
not so nice people that can be zero click, right?
So they just have to find you on WhatsApp and you don't have to click anything.
They don't even have to send you a message and they can own your device.
Historically, I have not found any,
a lot, let me say,
the majority of those that I have heard about
these vulnerabilities on mobile devices
require a phone number or a SIM card.
So you've significantly reduced
the surface area of attack from your adversaries
if you have a device
that doesn't have a broadband processor in it.
So I actually, I do have a cell phone,
but I do not put my SIM card in it.
And I recommend others,
if you can get away with it,
if you can, so like,
this is a problem with Signal, right?
Signal requires a phone number.
But if you can get away with using Google Voice somehow to set up a signal,
if you can get away with somehow not putting a SIM card in your phone,
I feel like it's the same level of jump in security and OPSEC from, like,
Linux to go from Android to Android without a SIM card.
Yeah.
No, it's a really tough thing to do.
Luckily, at least Signal is super non-discriminate towards VOIP numbers.
So you can use even pretty crappy VOIP numbers that are even reused and stuff with Signal.
They don't seem to really care.
But that's not the same for other accounts.
I mean, if you have a bank account and they require a phone number, I think that's where
a lot of people are going to stumble on issues.
I am kind of in a hybrid situation right now.
I still need a cell plan on my phone.
I haven't figured out a good enough workflow where I can go without a cellular plan.
But I don't use the number for anything anymore.
and it took a long time to get there. So that number is pretty well hidden. And even the phone
plan is registered to a different name. But I'm sure if someone really wants to figure it out,
they could. So it's not like a foolproof thing, but I'm getting close, but it's a really hard thing
to do. So I think that fact that you did it's pretty impressive to some extent. Yeah. Well,
yeah. So two things in response to that. One, the first thing about Signal, like VIP,
it's great that that's possible, but then what happens if it's a reused number? And if you don't,
You have to pay a lot of money unless you're lucky enough to live in the US and be able to have a Google Voice account for free.
You have to pay a lot of money. And then if it's a reuse number, somebody else can just steal your account from you.
I think it was something like three days. There's like a really small window.
Like if I could get it and be sure that it's going to be mine for like a year, that would be better.
And then with the banks, so my biggest concern about giving a phone number to the banks.
So when I worked for a bank, I would prevent people from putting their phone numbers into
accounts because we were just being phished like crazy, man.
My fear is that once you give a phone number to a bank, even if they're not using two-factor
authentication through SMS, at some point in the future, they might start using your phone
number for two-factor authentication.
And then somebody could steal your account through a SIN swap attack.
So I just have a policy where I don't...
I mean, it sucks, though.
I'm running into so many problems with banks who are just refusing to give me a bank account. Or
now it's a thing where they have a phone number is required and they use these third-party
credit checks. But it's not like these common, it's like these new AI machine learning systems,
and they see that I'm using a bullshit phone number and they immediately ban me as if I have
bad credit. I'm really struggling to be able to even open a bank account without a phone number.
Yeah, I've had issues with similar things, but also with addresses, getting rejected for credit applications and stuff.
Literally cited reasons are being we couldn't verify your identity.
And so that's been a common issue that I have heard from multiple people now, not just you, just across the board trying to open bank accounts and stuff.
So I don't know if it's going to get better.
I'm hoping that it can't get worse because it seems like it can't get much worse than this.
I mean, yeah, I don't know.
I'm not too optimistic.
But it feels a bit like Nosedive, you know, that episode of Black Mirror.
Yes, that was one of my favorites.
It was a good one.
Yeah, that was the first one I saw.
So good.
Yeah, yeah.
I actually had to stop watching Black Mirror.
I got through the first, I think, three seasons.
And then the last one I watched was the horror game one,
where the traveler guy does the horror game and he goes in the house.
And I was done.
It was just too much. It was just exhausting.
And I think I watched them too quickly back to back is really what I did wrong.
Yeah, it's really like it's impressive.
And my partner also would struggle in watching them, my ex.
It's like it's so effective at pulling your strings.
Like how their depiction of dystopia is so real that it's very hard for many people to watch.
And I'll warn you, the last season is more horror than it is like the same sort of dystopian techie thing.
So maybe it's not for you.
Yeah, I don't know which one did it.
I think honestly, it was just the horror is probably easier for me than a dystopian tech thing.
But after just watching back to back episodes, that just that just ended it for me.
Now, one quick thing you mentioned, the proprietary cell stuff, I think even this is a misconception.
I do not condone the device because I've actually had a lot of issues with the company and even getting a device and the whole reservation process.
But even things that are advertised as like open source hardware, like the Purism, Librem 5, even they use proprietary chips in their devices with like the, I believe it's still the cellular chip.
It's really hard to do that stuff open source.
I don't think that it exists.
I mean, it's theoretically possible.
And the same thing for like HSMs.
You know, are you familiar with HSMs?
No.
So it's a hardware security module.
If you want to store, like, let's say you happen to be a cryptocurrency bank and you have billions of dollars worth of crypto assets from your customers, and you want to store that securely, you're not going to store it on a disk on a server.
You're going to store it inside of a hardware security module.
This is a device that is extremely secure, very highly regulated.
Some of them have, like, so they're also frequently used in ATMs.
So, like, they have private keys on them.
They need to be able to sign transactions and such.
and they have tamper detection.
So like if they notice too much vibrating,
like somebody is dealing the ATM,
they will wipe their private keys
that are stored secretly.
So like a YubiKey in the sense
that you cannot extract the private keys,
but also like just way more hardcore
with all these sensors
that will like cause themselves
to wipe themselves
if they think that they're being fucked with.
So open source HSMs
is one of my favorite questions
on Stack Exchange is asking like,
where are the open source HSMs?
And then some people like respond
saying like there are no open source HSMs
and like regulations would never allow for people to be able to make something like that
because it costs too many truckloads of cash.
Then I did some research and I found a great presentation at Shukon
of something presenting a bunch of open source HSMs.
So like, yes, these highly regulated devices absolutely can be made open source.
It does cost a lot of money.
Open source hardware is expensive.
That sucks.
I hope one day we have an open source BP, a broadband processor.
We don't, as far as I know, currently have one, but it's absolutely theoretically possible.
Nice. Yeah. And then I just wanted to clarify that it was either the main chip of the device
or the broadband processor that wasn't. But there was something that back when I was researching it.
I'm sure it's the DP. I do not think that there is an open source DP on the market. And you can't
blame Purism for that. That's just a market problem. Yeah. I hope that I have other things
that I am directly critical of Purism for just based on my experience. But that is not,
I hope that wasn't the criticism that I was laying out there.
I was just saying that even devices that try to be as open source as possible,
which they do try to do, and that's something that I really do admire about them,
they still couldn't do that because that's really hard to pull off.
Your listeners may not be aware, but I have an article.
You can check it out.
It's called Trusted Boot.
And it goes into the, if you're worried about anti-evil made,
and you want to understand better how TPMs work and how heads works.
What's evil made?
So an evil maid is a, I'm not going to try to pronounce her name, the founder of QuesOS coined the term evil maid and anti-evil maid.
So the idea is that you're traveling to a conference, you have your work laptop with you, you go out to get drinks and you leave your laptop in your room, maybe even put it in a safe.
But a maid obviously can get into your room.
And what damage could that maid do to your laptop if it's off?
And obviously, of course, if it's off, it's encrypted, they can't access the contents.
But what if they like swath the machine with a totally different machine and they could do a relay attack or something like that?
So so anti evil made is a concept in cubes that tries to prevent evil maids from being able to do harm in this sort of situation.
So heads is a really cool is a really cool tool that you can use to try to protect your laptop from anti evil made.
and it's bundled with a bunch of other things with purism laptops called pure boot and i did
buy a purism laptop also i returned it i was not very happy with it but um you know i got this thing
in a box i was sitting there in a box for like two weeks because i was like i i don't want to just
like guess on how to verify this thing because i wanted to make sure i was trying to defend against
interdiction right and i ordered it with monero they didn't have a dot onion site but i did my
best to try to order anonymously. I'm pretty sure I succeeded with that. But it arrived,
and I just wanted to make sure that there was no tampering that took place between the time they
shifted from me in California to arriving at my doorstep. So it sat there for like two weeks with
it unopened, just me researching TPMs and heads and the whole technology stack for the past 10 years
that brought us to heads. And I published a very comprehensive article called Trusted Boot,
anti-evil made heads and pure boot.
If you just Google pure boot,
alt field, my last name, ALT, F-I-E-L-D,
trusted boot, you'll find it.
It's going to be number one.
I'm very happy to say that like the heads project,
if you join the matrix channel for the heads project,
they have like their authoritative,
but his heads is my article.
So I'm glad I managed to get something right there.
It's a really good overview, but anyway,
I actually changed, it goes into detail with purism,
but I recently changed all of my affiliate marketing
from Curism to Nova Custom because I was just not very satisfied with that purchase.
Yeah. And how do you feel? And I know maybe it's a bit biased because you've partnered with Nova
Custom, but what do you like more about Nova Custom than maybe other Linux laptops that are
out there? Is there something to do in particular or is it just like more of a value overlap between
your two organizations? So I can't, so like, yeah, full disclosure, I do sell bus pull cables to
Nova Custom. I first read out to them some months ago,
somebody, some random person on the Matrix
Fediverse messaged me and he told me first about Nova
Custom because he was mentioning it as a cube
certified laptop. I use cubes. I have had so many
hardware issues. I had so many hardware acceleration
issues with the purism laptop that I received. It was
almost unusable. And
And when I went to the Nova Custom website, I saw that they had a Qubes OS to support laptop,
which was a great thing.
That was the first time I heard of them.
And so I reached out to them about possibly changing my affiliate links from Purism to Nova
Custom.
And he told me he already knew who I was, which is really cool, because he read that article.
And at the very bottom of that article, I described a process of anti-interdiction that
that Purism uses where they paint glitter fingernail polish onto the screws of your laptop.
So Wessel saw this, the founder of Nova Custom saw this, and then after that he created anti-introduction
services for Purism.
So that obviously warmed my heart.
That was great.
Their communication has been great.
Sorry, what did I say?
Yeah, for Purism.
But I think my people got it, not to interrupt, but sorry, go ahead.
Yeah, and also the communication has been great, but I should say that I have never touched
a Nova Custom laptop in my life.
I hope, I mean, I ended up returning that purism.
I bought just a ThinkPad, unfortunately.
And then maybe one day when this thing dies
and I need more than 32 gigs of RAM,
I'll look into Nova Custom.
But I don't know, you tell me, how does it feel?
It feels really nice.
I've been really impressed with the hardware.
And first, he actually, Russell,
this interview is still going to come soon,
but Russell actually touches on this glitter method
because it came up in our interview a little bit.
But yeah, the Nova Custom laptop
has actually been really awesome.
and I've been really enjoying it.
The hardware was awesome.
Really impressed out of the box.
I'm for better or for worse.
There's a lot of issues I have with Apple,
but I generally really like the way Apple approaches hardware.
And I think it's really well built
in terms of just the way it feels in the hand
and kind of the keyboard and stuff like that.
And I've been able to like cycle back and forth
between the Nova Custom and also the Apple situation.
And actually it's really good.
So really love the Nova Custom setup.
So Michael, where can people find you online
if they want to connect with you or Buskill.
Yeah, so if you want to follow Buskill,
the best place to go is our website, buskill.in.
And then at the bottom there,
you can find all our social media.
If you want to subscribe on Mastodon,
you can find us there, again, on our website.
We're on GitHub, we're on Facebook, we're on X,
we're on all the things.
If you're on Reddit, slash r slash buskill.
But again, yeah, the best place is just to go
to our website, buskill.in.
And if you want to follow me,
specifically Michael Altfield,
my name is the same on all those platforms.
Go to my website, michaelaltfield.net,
and you can find all my social media there.
Again, I'm on Mastodon Twitter, whatever.
Well, I want to thank you, Michael, for tuning in today.
This was really awesome,
and I can't wait to hopefully have you on in the future.
It was a real pleasure to have you here,
and I hope that people got value from everything you said.
Thanks, Henry, so much for your time.
And with all of that said,
I want to thank Michael for his time,
and I'll leave links to everything he works on
down in the description.
If you learned anything from this
and you want to support these independent interviews
where I invite cool people on who work on cool things,
you can become a Techlorian down in the description.
We are on Patreon.
You can do it directly via us and Stripe on the forum.
We also support Monero tips and many other things
that you can do to support what we're doing.
If you have anyone in particular that you want to see interviewed,
you can always leave that down in the comments as well
as we do check those out.
And of course, leave some love if you learned anything new
or want to just share this around with somebody you know.
Thank you all for listening,
and we'll see you next time on Techlor.