Sometimes I wonder if nerds find pleasure of finding loopholes in figure of speech and then feel all strangely superior about it.
"Haha I can't 'tell' you because the password can only be constructed from a specific series of hand gestures. Plot foiled!"
The attackers don't care if you can't verbally 'tell' them the password. With enough motivation, they will try anything to get it out of your head. A wench is just a tool to hasten that process, in certain scenarios. If you can't tell them, they will just hit you with a wrench until you tell them the exact way you use to reproduce what they need.
And ... If hitting you with a wrench can potentially make you unable to provide the password, there is also using the wrench on someone else that you don't want to be hit with a wrench. If they want it badly enough, they'll find the leverage to get it.
Many people have moral lines they won't cross, but the kind of people willing to use a wrench on you to get what they are looking for, are willing to cross many more lines than an ordinary citizens.
Nah - they could alternatively use a honeypot to try and trick you - aka the Rick and Morty episode M. Night Shaym-Aliens!... or they could just make your life pain until you're able to successfully unlock your thing - even if it's a password you can't communicate verbally it is something you can communicate since your computer can understand you.
Biometrics come with the same potential issue - great, now instead of beating me up until I tell them the password is rosebud they're going to cut off my thumb - this scenario is so much better.
I'd rather get hit by a wench than a wrench, if I am gonna get hit by something. Death by Snu Snu is preferable to death by blunt trauma- at least I get something out of it.
Depends on the hiring process. A good innkeeper will hire wenches who can muster a good punch: it's a competitive world, you don't want downtime from bar brawls and stuff.
Bad for you, because no one with a wrench would believe you.
Here's a thought experiment: You are a hacker with a 100% (to your knowledge) secure notebook full of company secrets. I am an attacker and I have your son/daughter as a hostage. I am asking you to unlock that laptop for me in exchange for your kid. What do you do?
Do you really trust your failsafes enough to risk the life of your own kid? Or do you just unlock the goddamn notebook for me?
> Do you really trust your failsafes enough to risk the life of your own kid?
I mean, the right way to do it is with a precommitment to preventatively destroying the thing the attacker wants from you, via some kind of dead-man's-switch. You don't let your future self make the decision of whether to give up your secrets; your hypothetical future self is under duress. Your present self is not, and therefore knows better.
Of course, they still probably won't believe you that the secret is destroyed with no backup. But now you actually have no option to cooperate with them, so at least you're off the hook for the moral responsibility of whether the hostages live or not any more. The only ones that can make a decision that will causally influence whether the hostages live or die, at that point, are the hostage-takers.
And some of those attackers will just off at least one of the hostage anyways as an object lesson, as a way to "motivate" you.
That kind of dead-man-letter defense is a deterrent that relies on the attacker's ability to assess that the information can be destroyed, before going through the trouble of coming after you. If they are unable to assess it, or their intelligence is wrong, or you never let it wildly known that there is a dead-man-letter, once hostages are taken, you're still in that situation.
Even if you don't consider it as your moral responsibility, it won't bring dead people back to life. The cost is still the same. And if you survive, the trauma will still be there.
I didn't say it would do anything to discourage bad actors from kidnapping those you care about. Just that it's a lot less stressful to be in an interrogation situation, when there's nothing you actually need to be using your willpower to resist doing. (Instead, it's just Kafkaesque.)
My present self wouldn't risk my children for my secrets either. If villains have my children I'm willing to trade my secrets to get them back. The villains and I can settle up once the kids are safe.
Surely there are very few situations where it would be worth gambling your children's life over some data. Perhaps if there were many other lives at stake but even then...
I asked a bartender for the WiFi password, he said you have to buy a drink first. I asked if they had Diet Coke, he said they only have Pepsi, so I asked for a Diet Pepsi. He turned and poured one, gave it to me. He said that's $3, so I gave him a $5. He walked to the till got $2 out, came back and gave me my change, I kept one bill and slid the other back to him. After a few seconds of silence, I asked again what the WiFi password was, and he said "You have to buy a drink first".
I have a friend who can't actually tell you her passwords, because she doesn't know them. She just resets them every time she needs to log in to some site.
I wouldn't like it myself because of the extra steps to reset each time, but it does make sense. "Can you access email sent to this address" is probably a reasonable authentication challenge for a lot of purposes. (It might even be phishing resistant...)
The email she uses is the main email address from her ISP, so she can also reset it by requesting a reset code by text (or, at worst if she also loses her phone, by going to a store and showing her ID).
After thinking about it, the only real problem I found was indeed the extra hassle. I stopped trying to convert her to a password manager after that.
I ran into a similar issue when trying to switch to the Colemak keyboard layout from QWERTY.
I was able to get up to a decent-enough speed for normal english text in a few days, but trying to use emacs was murder:
It turns out all of its many (and critical) keyboard shortcuts are embedded in my brain as motions, not as their corresponding letters.
So trying to figure out what a shortcut should be in emacs was really difficult: I'd have to think about the motion in QWERTY, figure out the letters, then think about what the letters would be in Colemak, and then finally make the shortcut. Very difficult and slow, and really messed with my head.
So, I gave up, and I'm back on QWERTY, which, honestly, is good enough for me.
(I did consider the possibility that there probably exists some emacs minor mode to map just shortcuts (i.e., key prefixes start with meta or control or whatever) back from Colemak to QWERTY, but...life is too short, and I've already wasted far too much of it configuring emacs.)
One fun event, years ago I was at a developer home and he was showing me how he could create different text windows on his text only display. He would just quickly reach out hit some key and a text window would be create for example.
Asked him how he did that and he tried to do it slowly, and he could not figure which keys he pressed. His normal speed was too fast to follow but he no longer knew which keys he pressed and every time he tried to do it slowly he just stopped in confusion. :)
I was lucky in the sense that I chose to switch to Colemak from QWERTY my first year in college when I realized I wanted to pursue programming as a career _and_ that I couldn't learn retroactively how to touch type QWERTY. I hadn't developed any real habits at that point.. all that I had was my terrible 5-total-finger QWERTY typing style inherited from shit-talking people in Age of Empires 2 when I was a kid.
I agree. Keyboard shortcuts are really difficult. If I could go back I'm not sure I would repeat the exercise, I've just kind of stuck with it. On macOS there is "Dvorak - QWERTY ⌘" which switches to QWERTY when pressing ⌘ so many shortcuts work.
By the way, in the US of A it's not getting hit with a wrench you need to worry about, but indefinite imprisonment because you're in contempt of court.
If you "hold the keys to your own freedom", no habeas corpus for you, buddy.
In some countries, the numbers on the DAB have 1 2 3 at the bottom, like on keyboards, instead of at the top. Funny thing is, I can’t even remember the gesture in such situations.
Alternatively: Okay - the cops didn't find our hideout - let's burn a few days making this guy's life hell until he either cracks or unlocks his laptop. By the time we head out one thing will be broken - it's his choice whether it's his psyche or his encryption.
With so little qualification on what the data actually is... what?
If we're talking about company data there is no way I'm enduring a beating - if we're talking about personal data... eh there's probably no way I'm enduring a beating - I can probably recover whatever I've lost in time.
You don't need to change your password unless it gets compromised. Changing passwords regularly is a security myth. It's more important to use a unique password per service.
If a determined actor really want that password, they don't have to use wrenches or drugs, at least not on you. Something as simple as threatening something you hold dear along with providing a dvorak keyboard will probably be enough motivation. There are probably other ways, and I am sure there are folks out there creative enough to find them.
There is something from Sun Tzu's Art of War, along the lines that one can defend against attacks by drawing a line in a sand, or crack any fortress by threatening that which the defenders are obligated to come out to defend. Any determined actor will find some way, though yes, taken to the extreme, that way lies madness.
Well, Dvorak's l'atout is fixed so it doesn't work. But one could imagine a fixed unkown layout. It would act sort of as a salt, and reduce the attack to a 2F authentication with the keyboard.
Hah, I'm in the same situation. I don't actually 'know' my password. But if I'm on a QWERTY keyboard I can totally type it. The major downside is that if I leave for a longer vacation and I'm not going to be typing it daily, I will definitely need to reset it when I return (happened every single time).
Happens with rotary dial combination padlocks, like those used for school or gym lockers. You don't go by the numeric code, let alone remember it. The things are only accurate to about 12 points around the dial anyway, so if you recovered the code from your muscle memory, it wouldn't match the original digit for digit.
I'm also a Dvorak user with a randomly generated password, but I memorized it by coming up with an approximate pronunciation so it's still firmly lodged in my brain.
Some pranksters enjoy setting the keyboards to Dvorak in PC retailers to baffle the normals trying out the machines, as I discovered while laptop shopping a bit ago.
"Haha I can't 'tell' you because the password can only be constructed from a specific series of hand gestures. Plot foiled!"
The attackers don't care if you can't verbally 'tell' them the password. With enough motivation, they will try anything to get it out of your head. A wench is just a tool to hasten that process, in certain scenarios. If you can't tell them, they will just hit you with a wrench until you tell them the exact way you use to reproduce what they need.
Edit: Thanks atatatat. Wrench, not wench.