64 comments

[ 3.2 ms ] story [ 127 ms ] thread
sooner or later, everyone's gonna have to have some sort of passphrase that you authenticate with before acknowledging it's the real person.
Whatever it is we do, I predict that trust of internet communications will go down significantly.

Maybe we will pivot back to in-person meetings for important transactions.

You learned nothing from Crowdstrike?

Some large company will claim to invent a product that solves the problem. It will fail some of the time, but that doesn't matter as customers of the product will have someone to blame. No one will ever be actually held accountable for failures as some combination of lawsuits and "you're holding it wrong" will be sufficient to deflect liability from the large company. And anyway there's no real choice as all the other large companies who also have solutions in this area are equally as bad.

And that company will have a huge library of deepfake models stored on a poorly-secured server, which will leak.
How we already authenticate is cryptography, we just need to use it more.
The problem is that crypto is hard. When something is hard, people tend to pay someone else to do it. It only takes that one party to commit a private key to a public GitHub for the whole house of cards to come crashing down.
Ah. There’s the sentence I was looking for!

There’s many hopes riding on decentralized options.

But verification is hard.

Which is why all information networks tend to concentrate in some form or the other - to reduce the effort needed to authenticate

HTTPS is not hard, it's not even expensive anymore. Nothing stops us from using the same X509 rails backed by the same government that issued your id or driving license (or corporate access card) to do the client certs too.

We even have hardware keys that are capable of that in most big corp techworkers pockets already.

the problem is that these are all trusted side channels (or regular channels that have been vetted).

When an "emergency" happens, and the caller claims they're not able to use the regular channels of communication, how do you authenticate them?

When I say cryptography, I mean some means of end-to-end encryption (i.e, something which can't be faked or MITMed).

What is hard is getting this implemented in consumer apps in a way that user doesn't need to know nor fully understand it, but only understand it to a degree to differenciate unsafe channels from safe.

That has a long history in spycraft (and milint): sign/countersign, challenge/response, recognition signals, paroles…
I predict that when the person being challenged forgets the passphrase for the current time period, "Yo Mama" will often work.
PGP solved this problem decades ago!
Unfortunately PGP still has to solve to problem of how to use it properly without requiring a PhD
All major VOIP solutions are already cryptographically secured. In this case the attacker was not able to pull off anything akin to a caller ID impersonation, they made the call from an unknown number and tried to explain it away:

> The Vigna deepfaker began explaining that he was calling from a different mobile phone number because he needed to discuss something confidential

> they made the call from an unknown number and tried to explain it away

Also, phones get stolen and people lose their phones. This is fundamentally a social problem. Technology can help but not solve it.

ChatGPT's read the manual for you and you can ask it for the correct incantation to use.
Getting security right in a scenario where I'm not sure how to tell which commands are right is exactly the kind of situation I don't want hallucinations for.
pgp is well documented and while i won't die on the hill that it won't generate hallucinations giving you various pgp command lines, especially me esoteric ones, I sincerely doubt it would have problems with basic useage that's haven't memorized that's on various cheat sheets on the web.

hallucinations aren't a problem for well trod ground.

Just use Signal. It's not 1999 anymore. Public key has been productized all over. When it warns you that someone's identity has changed, that's the time to double check out of band, because under the hood the public key changed.

SSH is another example of something that productized the ideas in PGP but easy and straightforward (for typical Unix users at least)

I'm sure there's others

(comment deleted)
We'll all need Inception-style totems soon.
Reminds me of the questions they'd use in Harry Potter to identify themselves

"What creature sat in the corner the first time that Harry Potter visited my office at Hogwarts?"

For a universe where everyone can turn into everyone, it seems this is way underutilized. Like, every single secret gathering or non-public meeting would need to start with everyone verifying their identity. Especially when parties are persecuted.
To be fair, when you are meeting under a place that is protected by magic (Fidelius Charm?) to make sure that only people who know about the secret place can attend the meeting (and this information can only be shared by a single person, the secret keeper), it automatically validates that the people joining the meetings are authentic.
Except that time it didn't, which every character in those secret meetings should be aware of. (There's no point trying to defend the plot holes in Harry Potter: it's an entertaining story and important to many people, but well-written it is not.)
This was explained: The secret-keeper died, so everyone who knew the secret became the new secret-keepers. They brought the outsider with them accidentally, which was enough for the magic to be satisfied that the secret-keeper showed them the secret.
The other time it didn't (revealed in the third book) should be enough for them to at least have their guards up.

Though, given the events of the fourth book, every participant in the war must be incompetent at warcraft – which we do see in subsequent books. You could argue it's consistent with the characters being incredibly complex (traumatised veterans, ego-fuelled tunnel-vision, not actually caring about victory, etc)… but realistically they were written by a millionaire[1] with no experience of war, and are fairly one-dimensional characters.

[1]: Sunday Mirror, Jul 9, 2000.

>For a universe where everyone can turn into everyone, it seems this is way underutilized.

That's what you think the biggest issues is with the writing in Harry Potter, and not the underutilization of a time travelling deice they only hand out to a student so she can ... take extra classes?

Don't get me wrong, I loved the books as a child, but as a grown-up now, they haven't aged well at all when you start to realized all the massive plot holes and sloppy writing.

They could wave a wand and feed the world, instead they come up with a pseudo racial slur for the people without magic that they laugh about behind closed doors.
Creating food has been explicitly excluded from the magic in the Harry Potter universe.
That's how Dumbledore claps his hands and food suddenly appears in the great hall?
That's food that exist in the kitchen. Dumbledore merely transports the food from downstairs into the Great Hall.

Read the books instead of assuming things. The books are very clear on the point that food cannot be magically created.

>Read the books instead of assuming things.

I did, but that was about 20 years ago, I don't remember much from then except bits and pieces which may or may not be accurate as they're mixed in with the residual images form the movies.

To possibly jump-start your memory, the books had a whole thing with Hermione trying to free the Hogwarts house-elves. It mostly happened in the background and they just talked about it, but it was during one of these parts we learn about the kitchen and how the food gets to the great hall.
TBH that's probably the most realistic part of the worldbuilding after growing up.
if thats the only question, it wont work for long
I assume the actual questions will relate to conversations had in private in reality. Anywhere from "where did we go on [date]" to "I asked you X question back then, what was your reponse?"
I work with a guy I know from college and asked him an obscure college related question to verify identity the other day.
This has got to be one of the more elaborate book placements I’ve seen. Props to them for priming the sell by having a likeable story.
Hopefully the scammers will try this again with Crowdstrike and Xitter and succeed this time.
dial a 2fa code on every call and have the other side do the same. easier for video calls - present a 2fa qr code to the camera.

everyone's a spy now.

Everyone was a spy before.

We’ve graduated to everyone being a scammer / impersonator / saboteur.

I disagree. It's so much worse than that because there are way more scammers than there's everyone: robots have that job now.
2fa and signing. I think PKI will see an explosion soon. Everything will be signed, even streaming audio and video.
Then you can literally be the man-in-the-middle, just organize 2 parallel calls.
I mean it's a funny anecdote but it's a bit disheartening when the article is just an ad for a book.
I don't think that's the case, but geez whatever "AI" (ironically) they used to translate the book title botched it and made a fucking weird title...

Google Translate changed it to "Decalogue of complexity. Act, learn and adapt in the incessant evolution of the world". Evolution is a much better word than "Becoming", but "Acting, Learning and Adapting" from their translation is better.

The thought had occurred to me about seven years ago that improvements in communications technologies ultimately undermine trust. I'd posted to my (now redditstrike'd, due to repeated trust violations by Reddit's leadership, irony noted) subreddit at the time. Archived copy:

<https://web.archive.org/web/20230603101919/https://old.reddi...>

It turns out that the inconvenience and costs of face-to-face and even physical written communications are both their bad and good characteristics. Yes, you incur costs, yes, they're inconvenient, but you can far more readily verify that someone is who they say they are, and increase any possible attackers' costs phenomenally.

The thought occurs that very limited communications / interactions channels may be an increasingly valuable trust feature in future, though the current pitfall of such approaches is that you're very often interacting with someone who's using the same (or very similar) insecure systems as you'd be using yourself directly.

The other possibility is that new protocols and institutions will emerge to help deal with the problem. One interpretation of the Axial Age[1] is that the emergence of writing and sprawling empires co-evolved social-alignment mechanisms, a combination of moral philosophy and religion, which enabled at least four cultures to deal with the emerging complexities and trust challenges, in persia, India, China, the Greco-Roman world, and the Levant. The religious and philosophical institutions which emerged emphasized trust, obedience, loyalty, and respect, and probably had much to do with the success of those societies. Keep in mind that the level of reliability needn't match what we generally expect today in high-trust cultures, only that there be a relative advantage to the contemporary immediate neighbours those empires engaged with.

It's also true that comms can interact positively to trust, or at least to validation and enforcement, though audits, registers, double-entry bookkeeping, monitoring, and surveillance. Though to my mind those replace social trust values with technological trust mechanisms. Which somewhat underlines my initial point.

_______________________

Notes:

1. See: <https://en.wikipedia.org/wiki/Axial_Age>

> What was the title of the book Vigna had just recommended to him a few days earlier (it was Decalogue of Complexity: Acting, Learning and Adapting in the Incessant Becoming of the World by Alberto Felice De Toni)?

You couldn't make it up.

The book is the develpoment of a lecture by De Toni: https://www.youtube.com/watch?v=bnTjgI14K4c

via auto translate, the 10 points are: Complexity has always existed. Complexity always increases. There is a light side and a dark side of complexity. The signature of complexity is the power law. Complexity manifests itself according to models that can be reconstructed ex post. There is the dilemma of complexity. The complexity of the social world is the highest. Complexity, paradoxes and metamorphoses: the hidden plot. Autonomy and cooperation: the mix for navigating complexity. Complex thought and simple action.