Why? There are actually valuable takeaways from this.
One would be that people are the weak point in your security system. If all your organizational security hinges on one guy not folding, that guy is the natural target. Whether a literal 5$ wrench is used or they bribe him makes no difference.
That means you could consider shaping your org in a way that is resistent against this by e.g. decentralizing secrets. That means instead of bringing a "5$ wrench" to one person (which may even work without raising suspicion), you now need to convince multiple people at once which is much more unlikely to work without being detected.
In a similar way sometimes the best way to protect data is not to collect it of if you collect it not keep it around in its raw form.
As for secrets, you sometimes need to have them for very good reasons. If you can reach the same goals without a secret while having the same protection going without a secret is a good choice.
But let's assume if you want the cryptographic protections of confidentiality (through encryption), authenticity (through signatures) and integrity (also through signatures or hashes) chances are someone somewhere has to store a secret. If that someone isn't you it is someone else (or something else).
But if you want to protect data with encryption and you should be the only one who can decrypt it I don't really know how you would do it without any form of secret.
Why? Everyone knows about rubber-hose cryptanalysis. The whole point of cryptography is to reduce them to this.
If they want our information, they should have to become literal tyrants, send armed men after us and violate human rights in order to get it. Not push a button on a computer to tap into their warrantless global dragnet surveilance networks and suddenly have our entire private lives revealed to them on a computer screen.
Yes, people will fold if they are kidnapped and tortured. That's not news. Forcing them to stoop to that is the entire design. Once the situation has escalated to that level, you are justified in killing them in self-defense. Torturers don't make a habit of allowing their victims to live and testify about it.
It's really pretty stupid. Your encryption is there in case your laptop gets stolen. If you have people willing and able to kidnap and torture you to get your data, you have much bigger problems than the fact that they'll probably get it.
If you do a site search you'll find 700+ comments linking to it. I wouldn't be surprised if it was the number one most frequently linked page in HN history.
please stop mention this anymore, I gonna crazy
Why? There are actually valuable takeaways from this.
One would be that people are the weak point in your security system. If all your organizational security hinges on one guy not folding, that guy is the natural target. Whether a literal 5$ wrench is used or they bribe him makes no difference.
That means you could consider shaping your org in a way that is resistent against this by e.g. decentralizing secrets. That means instead of bringing a "5$ wrench" to one person (which may even work without raising suspicion), you now need to convince multiple people at once which is much more unlikely to work without being detected.
All you need to do is s/wrench/social engineering/ and you will understand exactly why it's such an effective--if not infallible--vector of attack.
The only defence is to not have the secret at all.
In a similar way sometimes the best way to protect data is not to collect it of if you collect it not keep it around in its raw form.
As for secrets, you sometimes need to have them for very good reasons. If you can reach the same goals without a secret while having the same protection going without a secret is a good choice.
But let's assume if you want the cryptographic protections of confidentiality (through encryption), authenticity (through signatures) and integrity (also through signatures or hashes) chances are someone somewhere has to store a secret. If that someone isn't you it is someone else (or something else).
But if you want to protect data with encryption and you should be the only one who can decrypt it I don't really know how you would do it without any form of secret.
Please mention/link it even more. All security nerds _need_ to see this comic once a month.
Why? Everyone knows about rubber-hose cryptanalysis. The whole point of cryptography is to reduce them to this.
If they want our information, they should have to become literal tyrants, send armed men after us and violate human rights in order to get it. Not push a button on a computer to tap into their warrantless global dragnet surveilance networks and suddenly have our entire private lives revealed to them on a computer screen.
Yes, people will fold if they are kidnapped and tortured. That's not news. Forcing them to stoop to that is the entire design. Once the situation has escalated to that level, you are justified in killing them in self-defense. Torturers don't make a habit of allowing their victims to live and testify about it.
>Everyone knows
Don't make me link 1053 ;)
Petition to ban all xkcd links and references effective immediately.
It's really pretty stupid. Your encryption is there in case your laptop gets stolen. If you have people willing and able to kidnap and torture you to get your data, you have much bigger problems than the fact that they'll probably get it.
once a month???? I literally see this once every 2 days
every comment that has little bit content of security/cryptography/secure/blockchain/CIA etc always mention this particular entry
Just wait until you discover '10,000'.
It’s tonyhart7’s lucky day https://xkcd.com/1053/
https://xkcd.com/538/ LOOK AT IT
I thought maybe cwsx was posting this often but that doesn't seem to be the case. Is it that that xkcd is basically a HN trope at this point?
If you do a site search you'll find 700+ comments linking to it. I wouldn't be surprised if it was the number one most frequently linked page in HN history.
And Randall deserves EVERY single one of them, IMHO!