this post was submitted on 14 Jun 2024
20 points (68.5% liked)

Ask Lemmy

26959 readers
528 users here now

A Fediverse community for open-ended, thought provoking questions

Please don't post about US Politics. If you need to do this, try [email protected]


Rules: (interactive)


1) Be nice and; have funDoxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them


2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?


3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.


4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected]. NSFW comments should be restricted to posts tagged [NSFW].


5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.


Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija


Logo design credit goes to: tubbadu


founded 1 year ago
MODERATORS
 

I saw this tiktok where this guy was talking about how he'd get his hands on real social security numbers.. this was a clip from a whole story he told about some criminal shit, I was too distracted by my thoughts on how to fix the exploits he used.

Block chains and cryptographic signatures would solve basically every one of his exploits. But regardless of the myriad of reasons as to why we won't adopt cryptography into American laws and bureaucracy, imagine if we did do everything involving government and policy in a cryptographically secure environment.

Imagine if everyone who is born gets assigned a gpg secret key signed by the government and that is your government ID for everything from opening a bank account to paying your taxes to claiming benefits. IMPO I think this is a perfect solution (iif you ignore the human element).

So my question is why wouldn't it be perfect, and what kind of exploits could bad actors use in a cryptographic bureaucracy?

all 36 comments
sorted by: hot top controversial new old
[–] [email protected] 21 points 5 months ago* (last edited 5 months ago) (1 children)

if you ignore the human element

And that's you problem right there. The same people that can get tricked into revealing their SN#, mother's maiden name, etc. are the ones who would reveal their private keys to a scammer.

Fraud is a social problem, technology can assist in managing them, but not solve the issue. In the end, it's all about the human factor.

[–] [email protected] 17 points 5 months ago

Any system is only as secure as the people operating it.

[–] CameronDev 17 points 5 months ago (1 children)

A gpg key has to be stored on something, and that can be stolen or lost. (Or degraded over time).

You are essentially pushing for 1 factor authentication. Its a strong factor, but still just 1.

[–] danhab99 1 points 5 months ago (3 children)

True,

There are many ways to do this, for example a person can sign a new key with their old key when their old key is due to expire, we have many rotating government IDs.

As for the human element, social security cards and driving licenses get lost/stolen/worn out too, crypto keys have the potential to be just as durable as existing solutions.

[–] [email protected] 3 points 5 months ago (2 children)

I hope I don't have to remember all of my kids passcodes until they are old enough to have them themselves.

[–] danhab99 1 points 5 months ago (1 children)

We'd need a purpose made gpg like system for this level of complexity so I have no doubt that there would be a way to have parents cryptographically prove they're their children's parents. It's just a matter of design

[–] [email protected] 1 points 5 months ago

We already have quite a few systems in place to prove who the parents are.

[–] [email protected] 1 points 5 months ago

Just email it to yourself from your Gmail account. That is perfectly secure.

[–] [email protected] 2 points 5 months ago (1 children)

You have the same problems we have with passkey today. If the key is compromised, and you don't have a separate recovery method, how would a third-party know if you rotated the key or the attacker did? Keys are the way to go for these things, yes, but processes and management at a human level are required.

[–] danhab99 1 points 5 months ago (1 children)

Guys

Guys

Guys

Cryptography doesn't replace people... Some bureaucrat will probably manually generate keys for new people... If you make new keys you're probably gonna go get them signed maybe even in person.

It's just supposed to replace the garbage ass id systems we have today with something more utilitarian

[–] [email protected] 1 points 5 months ago

Yes, that's what I was saying. In any event, the US is the only country with a dumb sequential SSN anyway, since no one seems to want a secure national ID that everyone else has.

[–] [email protected] 2 points 5 months ago

If you provide people with the means to replace lost crypto keys, then you've lost the security gained from using them.

[–] [email protected] 8 points 5 months ago (2 children)

SSNs aren't tricky by design.

3 digit area number, 2 digit group number, 4 digit serial number.

https://www.ssa.gov/history/ssn/geocard.html

So 1,000 combinations x 99 combinations (00 is not a choice) x 10,000 combinations.

990,000,000 potential SSNs. The only trick would be determining which ones are valid and which are not.

(0... 0... 0... - 0... 0... - 0... 0... 0... 2 - DAMN YOU ROOSEVELT!)

In any given area and group there are only 10,000 SSNs.

[–] [email protected] 5 points 5 months ago* (last edited 5 months ago)

Shit you could probably just ask an AI chatbot for one and get a valid one it scrapped off the (dark)web. CC#s, too.

[–] [email protected] 4 points 5 months ago

This is no longer the case. Any SSN issued after 2011 is fully randomized

Additionally, the following SSNs are always invalid:

  1. Any SSN with "000", "666", or "900"-"999" in the former area number
  2. Any SSN with "00" as the former group number
  3. Any SSN with "0000" in the former serial number.
[–] [email protected] 6 points 5 months ago

Yep. The weakest link in the security chain is between chair and keyboard. And you can't encrypt that.

[–] [email protected] 6 points 5 months ago

Fraud is conducting business under false pretenses.

What you’re referring to with obtaining social security numbers is basically “identity theft”, a term which makes a lot of sense in cybersecurity.

An SSN is basically (terrible) authentication credentials. So it’s credential theft. If you want you can call a bundle of credential factors an “identity” and then real life and computer identity theft become the same thing.

So basically you can go two ways with it.

One is fraud’s still the same and that wasn’t fraud per se that you were referring to before (except technically, in the sense identity theft is a subset of fraud).

The other is that to get your hands on people’s credentials, you’d get a copy of that GPG key. Maybe that means physical access, stealing the key, whatever. If you said biometric then that’ll eventually be spoofable due to biotech.

[–] [email protected] 4 points 5 months ago

Not today, CIA

[–] [email protected] 2 points 5 months ago (1 children)

You already have a cryptographically secure government id: your passport.

[–] [email protected] 1 points 5 months ago

Some people do in the USA, but a majority don't.

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago) (1 children)

Well if they properly embraced it, you wouldn't get one PGP key implanted at birth. I mean if that private key ever leaks, you're screwed for the rest of your life. And the blockchain has sever shortcomings, too. It's not anonymous, everyone can see every transaction and it's not fast enough for lots of applications.

It'd need to be implemented properly. And most importantly include privacy. You can't just expose millions of people to every attacker. And please think of the not obvious cases... How someone operate it who's in the hospital and unconscious... What if you lost your phone... How can you keep secrets from your (abusive) partner... What about separation of state and private companies... How to prevent a scifi dystopia...

I think if like a few hundred millions of people are subject to it, it needs to be done properly. And I think that'd be possible if the government payed some experts to come up with a really good solution.

Keys need to have sub-keys, IDs be randomized, there needs to be some human in the loop in case something goes wrong. Attestation and not just giving out everything to every company...

[–] [email protected] 2 points 5 months ago (1 children)

Not every blockchain is fully transparent, but I agree that most are.

[–] [email protected] 1 points 5 months ago

Sure. I took "the blockchain" to mean bitcoin. It certainly depends on the implemetation. And on the use-case. In recent years people have put blockchain into everything. But that's not useful either. There are different kinds of blockchain, some more or less useful to certain tasks. And there are applications where blockchains aren't useful at all. so generally it depends on the specific problem we're trying to solve.

[–] [email protected] 2 points 5 months ago (1 children)

Giving everyone a gpg is a fair idea (with pros and cons), but I'm not sure what you mean by including blockchain?

[–] danhab99 0 points 5 months ago (2 children)

Any and all public record keeping would be done on a block chain. For example it's not a secret who owns a given house, you can look up property and tax records. Smart contracts on a block chain work just as well as paper contracts if they're given the same respect by the courts.

[–] [email protected] 2 points 5 months ago (1 children)

The smart contracts that are full of bugs and are exploited all the time?

[–] danhab99 -1 points 5 months ago (1 children)
[–] [email protected] 1 points 5 months ago

Flawless security measure there bud

[–] [email protected] 1 points 5 months ago

What advantages does the blockchain give compared to just having a government website that allows you to download a zip archive of these documents?

(Also, having public records of house ownership and tax is a terrible idea in general...)

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago)

While I do think it would strengthen the security, anyone that can trick someone into giving them their SSN can also trick that someone into giving them their private key.

This would be advantegous for everyone, but private keys would still be stolen.

I'm all for a cryptography embracing government though. A GPG key is far superior to a short number sequence that can be predicted easily.

Although not great, where I live, at least, we have a way to digitally sign digital documents using public key cryptography.

One thing is that I believe we will eventually have cryptographic keys assigned to us instead of those insecure SSNs. But who knows when that will become reality.

[–] [email protected] 1 points 5 months ago (1 children)

Firstly blockchain will do nothing in this situation so let's ignore that.

as for gpg the problem is in order to decrypt the data you need to share the private key which is the exact same problem we currently have. You need to share your SSN for checks to be done and the orgs you share your SSN with are terrible at keeping them secure.

While it is a nice thought experiment you aren't doing anything new just replacing a SSN with a gpg all the same technical problems are there.

[–] [email protected] 3 points 5 months ago (1 children)

That's kinda backwards, isn't it? If I want to verify my identity to a company, they would send me something that only I could decrypt. Some government agency provides all the public keys of all citizens, the company takes my public key, encrypts some secret with it, sends it to me, and asks me to decrypt and return it. If I'm able to do so, I must be who I say I am otherwise I would not be able to decrypt the secret.

In an ideal world, the company (or, even better, the employee) would have a similar certificate that I could use to encrypt my response with.

[–] [email protected] 2 points 5 months ago (1 children)

True, but you know orgs are going to want your private key anyway. Remember ssn is not suppose to be an identification system, it was never designed to be and yet it is used as such.

If they are doing shit wrong with a SSN what makes you think they will do shit right with gpg?

[–] [email protected] 2 points 5 months ago

In this theoretical system, ideally it's illegal for anyone other than the person who's supposed to have the private key to have it - excepting some subset of legal reasons (e.g. parents for their children). So, the only business that would be asking for people's private keys are the kind that are already operating outside of the law.

[–] [email protected] 1 points 5 months ago

Continue to work for a government contractor I guess would be the easiest. It's all a sick fucking river of dirty money. I do my best to stop it when I can but it's like bailing out a lake with a bucket.

However, if I wanted to change work I imagine the path would be to get an education in financial or insurance and then a job with some bank or insurance company. Be a fair amount of effort but I would be able to commit fraud on a much larger scale.