Dead Man's Switch(deadmansswitch.org) |
Dead Man's Switch(deadmansswitch.org) |
except for hosting the service in NSA country
This particular implementation transmits sensitive data in the clear and does the encryption server-side, so it's hard to take it seriously except as a remote (and unsecure) notification service.
Aside from that obvious shortcoming, a truly secure and reliable DMS system would need the following properties, possibly more:
1. All data encrypted client side and sent to system only in encrypted form
2. Anonymous
3. Distributed (no single point of failure for DDOS attacks or subpoenas)
4. Any data sent into the DMS system is split into several pieces and only reassembled after the set time without a response has elapsed and the switch is triggered
A peer-to-peer application that transmits data exclusively via TOR would probably be most secure, but it's unclear what the motivation for running an instance of this kind of P2P application would be (since it's all encrypted you aren't downloading anything useful) or how many people would actively participate. Any server-based system would need to have a large number of servers in multiple countries to be robust to technical and legal challenges, and that sounds expensive. At the same time, a reliable and anonymous DMS system is something that I can see people paying a small subscription fee for.
Any way you slice it, it seems like there are a lot of hard problems to solve in this area, but a reliable DMS service would be extremely useful.
That party could be the dead man's switch service, but do you want to trust them? I wouldn't. (Nothing against the operators of this site. It's just inherently risky to trust a website operator in this type of situation.)
Alternatively, the key can be given in advance to the files' intended recipients via some secure channel. For example, suppose Alice wants Bob to receive the files upon Alice's death. Alice can deliver the decryption key(s) to Bob in person, electronically with PGP, or in some other sufficiently secure manner. But in this scenario, Bob has to know about Alice's deadman's switch in advance.
So I'm wondering: Is there any way to do this a) with encryption, b) without entrusting the keys to the operator of the service, and c) without informing the recipients in advance?
DMS #1 and #2 (Assuming there are several 'providers' in the 'market') would need to collude or both get hacked in order to compromise the secret.
If there are more DMS services, the key can also be split between them. And I believe there are some key-splitting algorithms that even help this process further.
Give half the key to the service and half to your friends, then you're only vulnerable to a conspiracy between them. Or do some more elaborate m of n thing.
Incentivising P2P applications is one of the interesting problems Bitcoin could solve.
People have talked about building P2P storage applications using Bitcoin, which is essentially what this would be, except if you stop paying into the network the files should be transmitted to some 3rd party of your choosing instead of being destroyed.
Perhaps some splitting scheme such as Shamir's Secret Sharing could be layered on top.
One may say this is too complicated and the layman wouldn't know how to do this, but laymen wouldn't have the need for this. Anyone who is not satisfied with the given service, must have the power and will to change it to their needs.
There's an endless number of possibilities as to what could happen in order for me to not be able to go online and verify with that link. Why would I put myself through the stress of potentially forgetting and now I have to worry about the secrets of my dying breathe being released to the public while I'm still around.
If I wanted anything to be taken care of I'd feel much safer keeping it in offline storage with a note attached.
What I think you should do is have a tiered level of notifications. For example an email every week is the first round of notifications. Then I wonder if you could pull my last login info from major services that are going to be around for awhile like Amazon, Google, Apple, Facebook(debatable), and if I havent logged into any of those services in 1 week, then go to the final round of notifications which is an in-person phone call.
Consequently anything that relies on a reply to determine if someone is still alive (even with notifying relatives) simply isn't going to end up solving the problem.
In the event anything happens to you the other key is sent to those people allowing them to decrypt it.
Service can't access your data as it only has one and same for trusted person.
I'm sure something like this already exists (and tbh the level of effort required to set it up pretty much makes it unlikely to catch on) but it is theoretically workable.
http://www.freebsd.org/cgi/man.cgi?gshsec
Want to set up a "2 of 3" (or similar) scheme? You could use, for example, a three-disk RAID5 using USB flash drives.
Obviously it's still a problem, but the problem isn't just "I need someone to do this stuff if I die". Rather it's "I need someone I can trust absolutely to this stuff if I die.
By trust absolutely I mean:
* will not abuse it.
* Will not even look at the data I submit and can guarantee this.
* will not get hacked and/or can guarantee my data's security if they do get hacked
* won't get bored with this hobby. Which leads to:
* will be there in 1, 10, and 50 years - or can 100% guarantee orderly step down if they don't make it.
More basic short term considerations that also are not addressed by this or any other service: * what if their server is down or under DDoS when I try to confirm my living state?
* What if I can't get to a system and miss multiple emails?
These services are a good idea but there is a lot to be done before they can be considered as solving this problem.I'd trust a "random" website further than google or similar.
Just run this service for a few years without actually encrypting the data, then charge $20/month to NOT release the information.
Google Inactive Account Manager https://support.google.com/accounts/answer/3036514
And for sending emails in the future:
Boomerang for Gmail https://chrome.google.com/webstore/detail/boomerang-for-gmai...
I don't know why people bother not just httpsing everything if they have the cert. It avoids these types of worries and appearance.
Does anyone know what happened with the woman who put up a post on Facebook (I think) saying that if people didn't hear back in a certain amount of time, she had last been to visit some guy? I am having a hard time finding the HN link.
It's bad enough to trust any confidential information completely to a third party, let alone a website that could lose your information or go defunct in a few years. At least disclosures to attorneys are legally protected to the n-th degree, and the business is brick-and-mortar with a known location.
Add to that the fact that a regular e-mail is something that could easily be forgotten about, caught by a spam e-mail, lost when you switch accounts, etc. The problems with this idea are endless
My idea was to open a security box in a bank that contained hand written keys to open an encrypted password store in some publicly accessible location.
If I died, that security box should go to the next family members who would be the only ones that can get access to it.
I fear there are loop-holes in that idea now..
What if you looked up caching 'best practices' for how to safely store items for in the weather, then stashed your valuable information somewhere nobody would find it. Keep track of the location the same way you would a geocache, but obviously don't publish it publicly. Then all you need to do is leave the cache-retrieving information in your legal will and the right people will have access to it at the right time, and it's as safe from prying eyes as you're ever going to get in the meantime :)
If I come up with something I can't tell my wife while I am alive, I will probably just put it in my will.
* I have to constantly check my mails to prove I'm not dead
* The other person's mail will without any doubt change if I die in 10+ years
* Can this service live up to 50+ years? I'm really doubting that as well.
It nag mails you so you don't forget. Otherwise, add a reminder with a link to click on on the first of every month.
> * The other person's mail will without any doubt change if I die in 10+ years
You'll be clicking on this thing every month, I'm pretty certain if your SO's email changes you'll update it at that time.
> * Can this service live up to 50+ years? I'm really doubting that as well.
It only needs to be up when you die, again, you're clicking on this thing every month, if the service dies and you find utility in the concept, you'll find a different service to use.
That's a huge problem. You tell me I have to click on a link at least once a month for the rest of my life.
First, I don't know if I'll have the same email for the rest of my life, if I change I'll have to think about changing that notification, that will have become spam in my mind.
Second, There surely will be a month in my life where I won't check my mails.
I can't think further, the thing has become a "hassle" that I have to constantly check and correct if someone change its mail, or in case it would think I'm dead, and this, for the rest of my life.
IMO there are better solutions for this type of problem, we just haven't found them yet.
I would love to see a system which allows your heirs to access online accounts without having to fear that a simple government request will hand them everything they need on a silver plate (including stuff not obviously related to you).
Probably physical objects need to be involved (code on paper etc) but then again how to make sure the next best burglar doesn't get the prize of his lifetime.
Does anyone know of such a solution?
Does anyone know of such a solution?
Put it in a safe deposit box at your local bank?
All my online logins are long random passwords stored in either 1Password or my phone. I've considered writing up my password (to 1PW), and computer unlock PW, and dropping it in my safe deposit box, updating it monthly or whenever I change those passwords.
Any good reason not to?
Certainly it's the best bet against criminals
I coded something like this myself a while ago. You can run it on a server or a local computer. The data is encrypted, no need to trust third parties:
Domain is freely available again, I gave up on the project and rolled the useful code into something else.
I mean obviously the imagination readily conjures up movie scenarios, 'if anything happens to me your nefarious plans for world domination will be sent to the New York Times!' but in real life the evil overlord could counter that in half a dozen ways.
Is anyone here looking to use such a service, and if so, for what sort of purpose?
You can reset the switch in any way you like, I was playing around with emailing through single-use codes and port knocking and so on. One I never got around to trying is a basic phone check: You have a cron job that scans all bluetooth devices within range and checks for your phone's MAC address. If it's there, it resets the timer. If you're out of physical range (or turn off your bluetooth) for too long, it triggers the switch.
Not quite what you described but it does perform some of the same function.
I almost imagine doing something like this in a physical system is easier than at the cryptographic level, but that probably is to be expected considering my physics background. I mean, using quantum phenomena seems to be an obvious way to do it this albeit completely infeasible at this time.
> c) without informing the recipients in advance
If you're willing to arrange the protocols with your recipients in advance, there are multiple viable approaches. But what if telling them in advance is itself a security risk?
It's probably going to be harder to force you to divulge a password in a court case than to just subpoena the piece of paper with your password on it and the computer with the 1PW database.
As a second thought, could lead to a slower, but much more interesting movie.
shrug from the point of view of someone who has opted in, this isn't a big deal. People don't change email addresses that often, and if you're the type who doesn't check email for longer than a month, then yeah, this isn't for you.
The bigger problem is that this service is hard to test. When you really want it to work there really isn't a second chance. Which means you shouldn't be relying on this thing 100%. It's best to put something in your will and instructions in a safe place.
Maybe you're not familiar with that kind of thing. Give it time, it will become a hassle to your mind and you will opt out at some point if the service hasn't shut down yet.
> People don't change email addresses that often
Did you have the same email address 10 years ago? If so woah, I don't know a lot of people who do.
> if you're the type who doesn't check email for longer than a month
I said at one point in life. I can see myself taking the transiberian for example, travelling through Australia, etc... for a month in a big adventure without internet.
It's hard to predict what's going to happen in your life. Being sure that you'll have internet at least once a month for the rest of your life is a ... extraordinary prediction.
> More than 15 percent of SSNs are associated with two or more people. More than 140,000 SSNs are associated with five or more people. Significantly, more than 27,000 SSNs are associated with 10 or more people.
Why would anyone use this...
<form method="post" action="https://deadmansswitch.org/userhome.html">
Email:<br />
<input type="text" name="email" /><br />
Password:<br />
<input type="password" name="password" /><br />
<input type="submit" name="login" value="Log in" /><br />
<a href="/createaccount.html" title="Create an account">Create an account</a>
</form>
Also, what does/can anyone do to prevent a MITM attack? Even if thy sent a HSTS header or a redirect, they're still subject to that.Well a better practice would be all HTTPS for the site. There are a lot of problems with this and I will probably write a blog post about it.
Everything about this site misses every best practice. 1. No CSRF tokens 2. Small secret tokens to trigger the switch. 3. passwords over http...
It's a joke.
<html>
<head>
<title>One...</title>
</head>
<body>
<center>
May you live in not too interesting dreams.<br>
Thank you and good night.<br>
</center>
</body>
</html>
... which would indicate they're gone. And the deadmansswitch.org has a footer that points to http://binarymonkey.com which has a 2008 copyright date. In one year the app's domain will expire which could be unfortunate if anyone expected an actual dead man's switch.Yeah, it is. Especially since their cert is over a year dead.