[HN Gopher] Hit Me with a Wrench All You Want, I Can't Tell You ...
___________________________________________________________________
Hit Me with a Wrench All You Want, I Can't Tell You My Password
Author : cyounkins
Score : 21 points
Date : 2021-09-23 22:18 UTC (41 minutes ago)
(HTM) web link (cyounkins.medium.com)
(TXT) w3m dump (cyounkins.medium.com)
| [deleted]
| melony wrote:
| Craig, meet Contempt of Court.
| gjsman-1000 wrote:
| Not in the US - that's self-incrimination.
| toomuchtodo wrote:
| Case law is not entirely settled that forced disclosure of a
| password violates your fifth amendment right.
|
| https://www.reuters.com/business/legal/us-supreme-court-
| nixe...
|
| https://en.wikipedia.org/wiki/Key_disclosure_law
| flarex wrote:
| He must have been hit with a wrench already if he thinks that
| they wouldn't just have him type it out from muscle memory.
| [deleted]
| gcmrtc wrote:
| This happens to me with pins. Basically I don't remember the
| numbers, just the shape they form when entered in the keypad.
|
| I recently opened a new account with a bank and their app has a
| randomized keypad and now I'm screwed.
| croddin wrote:
| A Dvorak keyboard nerd's imagination: He doesn't know his
| password? Blast! Our evil plan is foiled!
|
| What would actually happen: Here is a Dvorak keyboard. Type your
| password or we'll hit you with this $5 wrench.
| munk-a wrote:
| Alternatively: Okay - the cops didn't find our hideout - let's
| burn a few days making this guy's life hell until he either
| cracks or unlocks his laptop. By the time we head out one thing
| will be broken - it's his choice whether it's his psyche or his
| encryption.
| choeger wrote:
| Bad for you, because no one with a wrench would believe you.
|
| Here's a thought experiment: You are a hacker with a 100% (to
| your knowledge) secure notebook full of company secrets. I am an
| attacker and I have your son/daughter as a hostage. I am asking
| you to unlock that laptop for me in exchange for your kid. What
| do you do?
|
| Do you really trust your failsafes enough to risk the life of
| your own kid? Or do you just unlock the goddamn notebook for me?
| prox wrote:
| How about a fake unlock (like a secondary password) that only
| partially unlocks an account or spoofs it with bogus intel.
| tyingq wrote:
| Veracrypt hidden volumes look like a nice implementation of
| that: https://veracrypt.eu/en/docs/hidden-volume/
| tgsovlerkhgsel wrote:
| The author acknowledges that in the last sentence.
| derefr wrote:
| > Do you really trust your failsafes enough to risk the life of
| your own kid?
|
| I mean, the _right_ way to do it is with a precommitment to
| _preventatively destroying_ the thing the attacker wants from
| you, via some kind of dead-man 's-switch. You don't let your
| future self make the decision of whether to give up your
| secrets; your hypothetical future self is under duress. Your
| present self is not, and therefore knows better.
|
| Of course, they still probably won't believe you that the
| secret is destroyed with no backup. But now you _actually_ have
| no option to cooperate with them, so at least you 're off the
| hook for the moral responsibility of whether the hostages live
| or not any more. The only ones that can make a decision that
| will causally influence whether the hostages live or die, at
| that point, is the hostage-takers.
| decebalus1 wrote:
| Hah, I'm in the same situation. I don't actually 'know' my
| password. But if I'm on a QWERTY keyboard I can totally type it.
| The major downside is that if I leave for a longer vacation and
| I'm not going to be typing it daily, I will definitely need to
| reset it when I return (happened every single time).
| arnaudsm wrote:
| That's a funny story, but the real problem here is that you
| didn't change your password in 13 years.
| gridspy wrote:
| You don't need to change your password unless it gets
| compromised. Changing passwords regularly is a security myth.
| It's more important to use a unique password per service.
| cyounkins wrote:
| I have. I just describe the first time I changed it.
| guardiangod wrote:
| Sometimes I wonder if nerds find pleasure of finding loopholes in
| figure of speech and then feel all strangely superior about it.
|
| "Haha I can't 'tell' you because the password can only be
| constructed from a specific series of hand gestures. Plot
| foiled!"
|
| The attackers don't care if you can't verbally 'tell' them the
| password. With enough motivation, they will try anything to get
| it out of your head. A wench is just a tool to hasten that
| process, in certain scenarios. If you can't tell them, they will
| just hit you with a wrench until you tell them the exact way you
| use to reproduce what they need.
|
| Edit: Thanks atatatat. Wrench, not wench.
| cyounkins wrote:
| Oh yes I really was over here snickering uncontrollably
| thinking my security was foolproof! </s>
| atatatat wrote:
| A wench is called a "honeypot" -- totally different thing.
| munk-a wrote:
| Nah - they could alternatively use a honeypot to try and
| trick you - aka the Rick and Morty episode M. Night Shaym-
| Aliens!... or they could just make your life pain until
| you're able to successfully unlock your thing - even if it's
| a password you can't communicate verbally it is something you
| can communicate since your computer can understand you.
|
| Biometrics come with the same potential issue - great, now
| instead of beating me up until I tell them the password is
| rosebud they're going to cut off my thumb - this scenario is
| _so much better_.
| guardiangod wrote:
| I'd rather get hit by a wench than a wrench, if I am gonna
| get hit by something. Death by Snu Snu is preferable to death
| by blunt trauma- at least I get something out of it.
| hosh wrote:
| And ... If hitting you with a wrench can potentially make you
| unable to provide the password, there is also using the wrench
| on someone else that you don't want to be hit with a wrench. If
| they want it badly enough, they'll find the leverage to get it.
|
| Many people have moral lines they won't cross, but the kind of
| people willing to use a wrench on you to get what they are
| looking for, are willing to cross many more lines than an
| ordinary citizens.
| hosh wrote:
| If a determined actor really want that password, they don't have
| to use wrenches or drugs, at least not on you. Something as
| simple as threatening something you hold dear along with
| providing a dvorak keyboard will probably be enough motivation.
| There are probably other ways, and I am sure there are folks out
| there creative enough to find them.
|
| There is something from Sun Tzu's _Art of War_ , along the lines
| that one can defend against attacks by drawing a line in a sand,
| or crack any fortress by threatening that which the defenders are
| obligated to come out to defend. Any determined actor will find
| some way, though yes, taken to the extreme, that way lies
| madness.
| dilap wrote:
| I ran into a similar issue when trying to switch to the Colemak
| keyboard layout from QWERTY.
|
| I was able to get up to a decent-enough speed for normal english
| text in a few days, but trying to use emacs was _murder_ :
|
| It turns out all of its many (and critical) keyboard shortcuts
| are embedded in my brain as motions, not as their corresponding
| letters.
|
| So trying to figure out what a shortcut should be in emacs was
| really difficult: I'd have to think about the motion in QWERTY,
| figure out the letters, then think about what the letters would
| be in Colemak, and then finally make the shortcut. Very difficult
| and slow, and really messed with my head.
|
| So, I gave up, and I'm back on QWERTY, which, honestly, is good
| enough for me.
|
| (I did consider the possibility that there probably exists some
| emacs minor mode to map _just_ shortcuts (i.e., key prefixes
| start with meta or control or whatever) back from Colemak to
| QWERTY, but...life is too short, and I 've already wasted far too
| much of it configuring emacs.)
| cyounkins wrote:
| I agree. Keyboard shortcuts are really difficult. If I could go
| back I'm not sure I would repeat the exercise, I've just kind
| of stuck with it. On macOS there is "Dvorak - QWERTY [?]" which
| switches to QWERTY when pressing [?] so many shortcuts work.
___________________________________________________________________
(page generated 2021-09-23 23:00 UTC)