← Back to signal log

The Dead-Man Switch: Automated Network Severance

How KillNode's dead-man timer works and when you should enable it.

What is a dead-man switch?

In hardware safety engineering, a dead-man switch is a control that must be actively held or periodically reset by an operator. If the operator becomes incapacitated, the switch fires automatically. The original application was train throttle levers — release the handle, the brakes engage.

In KillNode, the dead-man is inverted: instead of requiring you to actively maintain it, it watches a condition (Tor connectivity) and fires only when that condition fails unexpectedly.

How KillNode implements it

When you set the dead-man timer to anything other than off, KillNode registers an internal callback on the Tor process.

If Tor exits for any reason that was not initiated by you (the Stop button), the callback fires:

  1. A toast notification appears: *"Tor disconnected — dead-man timer armed (Ns)."*
  2. A setTimeout begins counting down N seconds.
  3. If Tor does not reconnect within that window, executeFullKillswitch() runs — the full ordered teardown: proxy stack, Tor, OS interface severance.
  4. If you manually restart Tor before the timer expires, the countdown is cleared.

The dirty-shutdown flag

When Tor activates, KillNode writes _torActive = 1 to the SQLite settings store. When Tor stops cleanly, this flag is cleared.

On the next launch, if _torActive = 1 is still present, KillNode knows the previous session ended uncleanly — app crash, SIGKILL, power loss. A warning toast appears: *"⚠ Unclean shutdown detected — Tor was active. Verify your network state."*

This does not automatically fire the killswitch on restart, because the machine may have rebooted and the network is already clean. It is a notification, not an action.

When to use it

Enable the dead-man if: - You are in a high-risk environment where Tor connectivity is a hard requirement for your session. - You need your network severed automatically even if you cannot reach the machine (e.g., remote operation). - You are leaving the machine unattended and want network isolation as a failsafe.

Leave it off if: - You are using KillNode for everyday Tor browsing and intermittent disconnects are acceptable. - You are on an unstable network where Tor drops and reconnects frequently — the dead-man would cause repeated unintended killswitch events.

Recommended settings

| Scenario | Timer | |----------|-------| | Active session, high sensitivity | 30 s | | Unattended machine | 60–120 s | | Unstable network, tolerance for brief drops | off or 300 s |

After the killswitch fires, use the Restore hint button for platform-specific recovery commands.
← All posts