Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's actually not true. It can do nothing about M of N cryptography. (That's when a key is broken up such that there are N parts, and at least M (less than N) are required to decrypt. It doesn't matter how many rubber hoses you have, one person can fully divulge or give access to their key and it's still safe.


I always giggle a little when really smart people forget thugs exist and do what they’re told. If that includes breaking the knees of M people to get what they’re after, then M pairs of knees are gonna get destroyed.

This isn’t hard to understand, but it’s easy to forget our civilization hangs by a thread more often than any of us care to admit.


I don't remember the provenance of the quip, but somewhere at a def con or a hope, I heard, "The point of cryptography is to force the government to torture you."


They're perfectly ok with that, and depending on where you live this may happen in more or less overt ways. If the government wants your information, they will get your information. Your very best outcome is to simply rot in detention until you cough up your keys.


Now that I think about it, I'm pretty sure it was a session about root zone security, and Adam Langley was in the room. I was thinking, damn, kinda sucks to be the guy that holds Google's private keys. They want someone's information, so they let you rot...


power in numbers

can't torture us all!


Are we deep enough in the thread for the customary reminder that each measure makes it incrementally harder to attack a system?

(Including a system of people.)

Even nation state adversaries don’t have infinite resources to allocate for all opponents.


I think you can probably get away with only breaking one pair of knees and sending a video of it to the other people.


Youtube would delist that before they could all see it though.


You know there are other ways to have a video and send it to people than YouTube, right? You can just email a link from dropbox or gdrive, or an attachment, or send a WhatsApp/Telegram/etc. message, send a letter with a USB drive, etc.


Yes. It was just a dumb joke :/


> You can just email a link from dropbox or gdrive, or an attachment, or send a WhatsApp/Telegram/etc. message

Why do you think governments are demanding those services give them access to quickly remove "misinformation"?


Any organization that is really really serious about security will obviously keep at least N-M +1 folks, along with their family, in other countries.

Which is a much much higher bar to clear for any would be rubber hose attackers.


Your secrets aren't really safe unless Xi and Putin each have part of your key personally memorized.


That’s hyperbole


Lets say for example

Bob, Jon, and Tom have pieces of the key. Bob and Jon are in the US and arrested over and commanded by a court to give up the key. Tom is the holdout. The US will issue an international arrest warrant, and now Tom can never safely fly again or the plane will be diverted to the nearest US friendly airport where they will be extradited. So, yea, "safe" is very situational here.


Doesn't Tom's key fragment have to be on a disk somewhere for things to work?

That's the actual weak link to attack.


That situation just requires a longer hose


Or M hoses.


and more beatings.


Sure, so you hit all of the people that have all of the pieces. Problem solved.


Or you publicly announce you're hitting 1 of the N people with the rubber hose until M-1 of the other people send you their key fragments.

It's not like these keys are shared among disinterested strangers who have no attachment to each other.


Somehow, somewhere you've just influenced a megacorp's internal crypto process.


This probably works if each person has a cyanide+happy drug pill or a grenade and is willing to sacrifice themselves and the rubber-hoser(s). I think that requires a rare level of devotion. This process must also disable a simple and fragile signalling device to let the others know what's coming.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: