undefined | Better HN

0 pointsloceng2y ago0 comments

Could you elucidate how exactly "standard crypto" would stop such a thing?

0 comments

It's easy. We just generate our own key pairs, establish a web-of-trust by signing each others public keys at in-person meetups, and then use those signed keys to authenticate all the digital communication we do with each other.

You know, like we've been doing with our emails since PGP was developed in 1991. You can tell how simple the process is, by how ubiquitous it has become in a mere 30 years!

DANmode2y ago

Publish it in your Twitter bio,

or as a Nostr note, for cool kids to share with other cool kids.

Defeatists get defeated!

denton-scratch2y ago

> like we've been doing with our emails since PGP was developed

Who is this "we"? I know personally exactly one person with a web-of-trust keypair.

sargun2y ago

I think the poster meant the prior meaning of the word 'crypto' -- cryptography, in which the CFO could sign and encrypt some message and then the message's authenticity could be verified.

thwarted2y ago

phone beeps with SMS message from CEO

"Can you buy $1000 worth of egift cards and text me back with the redemption codes? Our jobs depend on this. I'm in a very important meeting, otherwise of so it myself, left my private key at office and can't sign this message right now."

The human element remains the weakest link.

Aeolun2y ago

Hard to buy 25M worth of gift codes though.

1 more reply

computerfriend2y ago

This is a current, not prior, meaning of the word.

subtra3t2y ago

I think many people would expand the word crypto to cryptocurrency and not cryptography. We can argue on and on about which is the "correct" expansion but in my opinion a word's current meaning should be the most popular association people have of it.

1 more reply

YetAnotherNick2y ago

How does crypto add anything that just verifying email ID/phone number doens't provide. If you solution is to whitelist some certificates or key, you can as easily or even easier whitelist email IDs/phone number.

pastage2y ago

Cryptography can and should be done on hardware tokens that should directly be reported as stolen. A video call with email/phone is easy to fake.

I work with people who all have hardware crypto, you are right that we do not have the organizational knowledge to verify everything with crypto. Even if the tech is 60% there.

1 more reply

sverhagen2y ago

Banks certainly don't trust email, that's why instead they make you use those "encrypted messages" portals (...from hell).

macrolime2y ago

Phone numbers are trivial to spoof or steal and there is currently no way to protect against that.

3 more replies

chrisco2552y ago

You require that people sign messages cryptographically, including video calls, to validate their identity. You can't fake that.

coffeebeqn2y ago

Do any video call clients support this ?

kwhitefoot2y ago

Everyone in the call has a cryptographic ID that can be authenticated with a trusted authority. Your device would just ask all the others for a one time token that it then submits to the ID server. The server tells you public identifier of the person associated with that token.

We already have infrastructure for bus and rail tickets, for logging in to banks, tax authorities, health services, etc. in Norway and other countries that could easily be extended to cover this use case..

cornholio2y ago

By using it? This was a social engineering attack against an otherwise unprotected service, if you manage to trick the security guard, you are in.

j / k navigate · click thread line to collapse

0 comments

Karellen2y ago

You know, like we've been doing with our emails since PGP was developed in 1991. You can tell how simple the process is, by how ubiquitous it has become in a mere 30 years!

DANmode2y ago

Publish it in your Twitter bio,

or as a Nostr note, for cool kids to share with other cool kids.

Defeatists get defeated!

denton-scratch2y ago

> like we've been doing with our emails since PGP was developed

Who is this "we"? I know personally exactly one person with a web-of-trust keypair.

sargun2y ago

I think the poster meant the prior meaning of the word 'crypto' -- cryptography, in which the CFO could sign and encrypt some message and then the message's authenticity could be verified.

thwarted2y ago

phone beeps with SMS message from CEO

The human element remains the weakest link.

Aeolun2y ago

Hard to buy 25M worth of gift codes though.

1 more reply

computerfriend2y ago

This is a current, not prior, meaning of the word.

subtra3t2y ago

1 more reply

YetAnotherNick2y ago

pastage2y ago

Cryptography can and should be done on hardware tokens that should directly be reported as stolen. A video call with email/phone is easy to fake.

I work with people who all have hardware crypto, you are right that we do not have the organizational knowledge to verify everything with crypto. Even if the tech is 60% there.

1 more reply

sverhagen2y ago

Banks certainly don't trust email, that's why instead they make you use those "encrypted messages" portals (...from hell).

macrolime2y ago

Phone numbers are trivial to spoof or steal and there is currently no way to protect against that.

3 more replies

chrisco2552y ago

You require that people sign messages cryptographically, including video calls, to validate their identity. You can't fake that.

coffeebeqn2y ago

Do any video call clients support this ?

kwhitefoot2y ago

cornholio2y ago

By using it? This was a social engineering attack against an otherwise unprotected service, if you manage to trick the security guard, you are in.

j / k navigate · click thread line to collapse