This is something I've thought about, and as I see it a lot of the problems common to crypto software are manifest in this space as well. Specifically with regard to security vs useability/ease-of-adoption issues.
This particular implementation transmits sensitive data in the clear and does the encryption server-side, so it's hard to take it seriously except as a remote (and unsecure) notification service.
Aside from that obvious shortcoming, a truly secure and reliable DMS system would need the following properties, possibly more:
1. All data encrypted client side and sent to system only in encrypted form
2. Anonymous
3. Distributed (no single point of failure for DDOS attacks or subpoenas)
4. Any data sent into the DMS system is split into several pieces and only reassembled after the set time without a response has elapsed and the switch is triggered
A peer-to-peer application that transmits data exclusively via TOR would probably be most secure, but it's unclear what the motivation for running an instance of this kind of P2P application would be (since it's all encrypted you aren't downloading anything useful) or how many people would actively participate. Any server-based system would need to have a large number of servers in multiple countries to be robust to technical and legal challenges, and that sounds expensive. At the same time, a reliable and anonymous DMS system is something that I can see people paying a small subscription fee for.
Any way you slice it, it seems like there are a lot of hard problems to solve in this area, but a reliable DMS service would be extremely useful.
Hey, that is an interesting idea that I have often thought about before, but have not been able to wrap my head around how this could be done. Are there any links/literature you can point to for techniques that sort of fit this bill?
I almost imagine doing something like this in a physical system is easier than at the cryptographic level, but that probably is to be expected considering my physics background. I mean, using quantum phenomena seems to be an obvious way to do it this albeit completely infeasible at this time.
In any protocol, how would you manage the decryption keys? If the file's owner is dead, s/he can't provide the keys. So that means the keys must be transmitted to some trusted party before the owner's death.
That party could be the dead man's switch service, but do you want to trust them? I wouldn't. (Nothing against the operators of this site. It's just inherently risky to trust a website operator in this type of situation.)
Alternatively, the key can be given in advance to the files' intended recipients via some secure channel. For example, suppose Alice wants Bob to receive the files upon Alice's death. Alice can deliver the decryption key(s) to Bob in person, electronically with PGP, or in some other sufficiently secure manner. But in this scenario, Bob has to know about Alice's deadman's switch in advance.
So I'm wondering: Is there any way to do this a) with encryption, b) without entrusting the keys to the operator of the service, and c) without informing the recipients in advance?
I should have mentioned: I was assuming the recipients weren't necessarily PGP users. Realistically, most people aren't. I'd imagine a dead man's switch would often be used to send documents to law enforcement, lawyers, journalists, etc. How many of those people have PGP public keys? If they don't, then you have to ask them to create one. Besides the difficulty in getting people to adopt PGP, you're also back the problem of disclosing your dead man's switch prior to your death.
I wonder if you can split things between several switches. In the most simple scenario, DMS #1 would receive an encrypted file to be sent to Bob in case of Alice's death. DMS #2 would receive a passphrase for the encrypted file, also to be sent to Bob (or they can be sent to Ben, who would have to meet Bob and both of them together get access)
DMS #1 and #2 (Assuming there are several 'providers' in the 'market') would need to collude or both get hacked in order to compromise the secret.
If there are more DMS services, the key can also be split between them. And I believe there are some key-splitting algorithms that even help this process further.
That's a good idea. I think you're right: An attacker would have to compromise all the DMSs to obtain the plaintext. That's not outside the realm of possibilities. But it is much harder than compromising just one. At that point, the DMSs might not be the weak link in the chain anymore--an attacker might find it easier to attack your own systems. (Which is a good thing.)
> So I'm wondering: Is there any way to do this a) with encryption, b) without entrusting the keys to the operator of the service, and c) without informing the recipients in advance?
Give half the key to the service and half to your friends, then you're only vulnerable to a conspiracy between them. Or do some more elaborate m of n thing.
If you're willing to arrange the protocols with your recipients in advance, there are multiple viable approaches. But what if telling them in advance is itself a security risk?
"it's unclear what the motivation for running an instance of this kind of P2P application would be"
Incentivising P2P applications is one of the interesting problems Bitcoin could solve.
People have talked about building P2P storage applications using Bitcoin, which is essentially what this would be, except if you stop paying into the network the files should be transmitted to some 3rd party of your choosing instead of being destroyed.
Perhaps some splitting scheme such as Shamir's Secret Sharing could be layered on top.
An alternative is a personal instance of a DMS for each person. Maybe a Github repo linked to a service provider, like Heroku, where each person manages their own switch.
One may say this is too complicated and the layman wouldn't know how to do this, but laymen wouldn't have the need for this. Anyone who is not satisfied with the given service, must have the power and will to change it to their needs.
I wish there was a better way of determining whether you were alive or not.
There's an endless number of possibilities as to what could happen in order for me to not be able to go online and verify with that link. Why would I put myself through the stress of potentially forgetting and now I have to worry about the secrets of my dying breathe being released to the public while I'm still around.
If I wanted anything to be taken care of I'd feel much safer keeping it in offline storage with a note attached.
What I think you should do is have a tiered level of notifications. For example an email every week is the first round of notifications. Then I wonder if you could pull my last login info from major services that are going to be around for awhile like Amazon, Google, Apple, Facebook(debatable), and if I havent logged into any of those services in 1 week, then go to the final round of notifications which is an in-person phone call.
> More than 15 percent of SSNs are associated with two or more people. More than 140,000 SSNs are associated with five or more people. Significantly, more than 27,000 SSNs are associated with 10 or more people.
I've always wondered how the SS administration deals with this. SSN _should_ be unique, but in practice they're not, so how do these people deal with taxes and _gasp_, social security?
That article is referring to corporate records, though, and leads with the fact that many people have multiple SSNs if you track all their commercial accounts as gospel truth. Does social security actually hand out duplicate SSNs, or is this all caused by people not remembering theirs/bad typing?
A week seems like a short amount of time. If you're dead, we're not talking about safety here—urgency is less important. I think even a mail every month would be sufficient.
That's what http://www.deadmansswitch.net/ (disclosure: I wrote it) does, it also has configurable intervals so you can make them as short or as long as you want. It sends you an email every interval, and, if you don't reply to any of them, it sends your messages.
The problem that isn't being considered is the same as people who say "I don't care if I die from a stroke (or heart attack)". It doesn't take into account that you might get either issue and not die but be incapacitated.
Consequently anything that relies on a reply to determine if someone is still alive (even with notifying relatives) simply isn't going to end up solving the problem.
This is an idea that has been around in various forms for a number of years. A number of other sites have popped up but like a number of people have already said, I don't trust random third parties with the keys to my online life.
Two keys, you put one on memory sticks which you give to friends/family you trust.
In the event anything happens to you the other key is sent to those people allowing them to decrypt it.
Service can't access your data as it only has one and same for trusted person.
I'm sure something like this already exists (and tbh the level of effort required to set it up pretty much makes it unlikely to catch on) but it is theoretically workable.
True, but probably the solution is not yet another third party who does the same thing as every other third party.
Obviously it's still a problem, but the problem isn't just "I need someone to do this stuff if I die". Rather it's "I need someone I can trust absolutely to this stuff if I die.
By trust absolutely I mean:
* will not abuse it.
* Will not even look at the data I submit and can guarantee this.
* will not get hacked and/or can guarantee my data's security if they do get hacked
* won't get bored with this hobby. Which leads to:
* will be there in 1, 10, and 50 years - or can 100% guarantee orderly step down if they don't make it.
More basic short term considerations that also are not addressed by this or any other service:
* what if their server is down or under DDoS when I try to confirm my living state?
* What if I can't get to a system and miss multiple emails?
These services are a good idea but there is a lot to be done before they can be considered as solving this problem.
This reminded me of the old Monty Python sketch "Blackmail"[1] where they charge people to not release information. The longer you wait the more it costs you. Very funny stuff. :)
<html>
<head>
<title>One...</title>
</head>
<body>
<center>
May you live in not too interesting dreams.<br>
Thank you and good night.<br>
</center>
</body>
</html>
... which would indicate they're gone. And the deadmansswitch.org has a footer that points to http://binarymonkey.com which has a 2008 copyright date. In one year the app's domain will expire which could be unfortunate if anyone expected an actual dead man's switch.
It broke:
<pre>
Could not open file (/tmp/deadmansswitch//Apache-Session-1d3379ba5947e7943750160d5cfee2c7.lock) for writing: No space left on device at /usr/local/share/perl/5.14.2/Apache/Session/Lock/File.pm line 75.
</pre>
Interesting site. Hope it is difficult to break into.
Does anyone know what happened with the woman who put up a post on Facebook (I think) saying that if people didn't hear back in a certain amount of time, she had last been to visit some guy? I am having a hard time finding the HN link.
One of my favorite short stories of all time is titled Death Switch, written by David Eagleman. It is about this idea extrapolated, well worth a read : http://deathswitch.com/deathswitch.pdf
I don't think anyone's said it yet, but... this is what an attorney is for. This website is stupid.
It's bad enough to trust any confidential information completely to a third party, let alone a website that could lose your information or go defunct in a few years. At least disclosures to attorneys are legally protected to the n-th degree, and the business is brick-and-mortar with a known location.
Add to that the fact that a regular e-mail is something that could easily be forgotten about, caught by a spam e-mail, lost when you switch accounts, etc. The problems with this idea are endless
I too have thought about this. How am I going to pass on my account information/bitcoins and other secret detective work?
My idea was to open a security box in a bank that contained hand written keys to open an encrypted password store in some publicly accessible location.
If I died, that security box should go to the next family members who would be the only ones that can get access to it.
ever heard of geocaching? The idea is that you leave things hidden around the world with GPD coordinates and hints of the location and other geocachers will grab their GPD devices (or smartphones) and hunt down your cache based on the location provided and your hints. It's like a big scavenger hunt.
What if you looked up caching 'best practices' for how to safely store items for in the weather, then stashed your valuable information somewhere nobody would find it. Keep track of the location the same way you would a geocache, but obviously don't publish it publicly. Then all you need to do is leave the cache-retrieving information in your legal will and the right people will have access to it at the right time, and it's as safe from prying eyes as you're ever going to get in the meantime :)
This seems like a good option if I am ever in an action movie and I need to tell the bad guy that all of the information will be released to CNN and the NYT if anything happens to me.
If I come up with something I can't tell my wife while I am alive, I will probably just put it in my will.
Any good DMS of that calibre can't be disabled. The operator must take upfront payment and not care if you die or not, only fulfilling a contract you can't go back on. Sounds like something a Swiss bank could do for you, if stereotype is to be believed.
Well, that may be so, but try explaining that to a (probably) not so intelligent bad guy who will just continue torturing you. Maybe a good feature for a DMS system would be a fake shut off switch that appears to be convincing to an adversary.
I wouldn't trust a random service like this with anything worth putting on a dead man's switch. At a minimum you should use PGP, but sadly most the people I'd want to use this with have no idea what PGP is. Maybe Keybase.io will eventually help with that.
> * I have to constantly check my mails to prove I'm not dead
It nag mails you so you don't forget. Otherwise, add a reminder with a link to click on on the first of every month.
> * The other person's mail will without any doubt change if I die in 10+ years
You'll be clicking on this thing every month, I'm pretty certain if your SO's email changes you'll update it at that time.
> * Can this service live up to 50+ years? I'm really doubting that as well.
It only needs to be up when you die, again, you're clicking on this thing every month, if the service dies and you find utility in the concept, you'll find a different service to use.
That's a huge problem. You tell me I have to click on a link at least once a month for the rest of my life.
First, I don't know if I'll have the same email for the rest of my life, if I change I'll have to think about changing that notification, that will have become spam in my mind.
Second, There surely will be a month in my life where I won't check my mails.
I can't think further, the thing has become a "hassle" that I have to constantly check and correct if someone change its mail, or in case it would think I'm dead, and this, for the rest of my life.
IMO there are better solutions for this type of problem, we just haven't found them yet.
> That's a huge problem. You tell me I have to click on a link at least once a month for the rest of my life.
shrug from the point of view of someone who has opted in, this isn't a big deal. People don't change email addresses that often, and if you're the type who doesn't check email for longer than a month, then yeah, this isn't for you.
The bigger problem is that this service is hard to test. When you really want it to work there really isn't a second chance. Which means you shouldn't be relying on this thing 100%. It's best to put something in your will and instructions in a safe place.
> from the point of view of someone who has opted in, this isn't a big dea
Maybe you're not familiar with that kind of thing. Give it time, it will become a hassle to your mind and you will opt out at some point if the service hasn't shut down yet.
> People don't change email addresses that often
Did you have the same email address 10 years ago? If so woah, I don't know a lot of people who do.
> if you're the type who doesn't check email for longer than a month
I said at one point in life. I can see myself taking the transiberian for example, travelling through Australia, etc... for a month in a big adventure without internet.
It's hard to predict what's going to happen in your life. Being sure that you'll have internet at least once a month for the rest of your life is a ... extraordinary prediction.
At least the time limit is too long to use for Suicide-note-as-a-Service. If it were shorter, I would worry about that being the primary use case for something like this.
Hmm I don't like the idea of involving a third (untrusted party) with what could be basically the key to your whole online identity.
I would love to see a system which allows your heirs to access online accounts without having to fear that a simple government request will hand them everything they need on a silver plate (including stuff not obviously related to you).
Probably physical objects need to be involved (code on paper etc) but then again how to make sure the next best burglar doesn't get the prize of his lifetime.
Probably physical objects need to be involved (code on paper etc) but then again how to make sure the next best burglar doesn't get the prize of his lifetime.
All my online logins are long random passwords stored in either 1Password or my phone. I've considered writing up my password (to 1PW), and computer unlock PW, and dropping it in my safe deposit box, updating it monthly or whenever I change those passwords.
It's probably going to be harder to force you to divulge a password in a court case than to just subpoena the piece of paper with your password on it and the computer with the 1PW database.
The obvious way of granting something to your heirs is to include it in your last will and testament. You could split the keys to your identity among different heirs, or give the complete key to any one of them.
Encrypt what you put behind the Dead Man's Switch, and then give the recipient/heir the key. If you want to get fancy, break the key up into two or more parts and split them among your heirs.
Please no one actually use this. There is no reason to trust this site with sensitive information, and there is even some evidence it may no longer be maintained (see logn's comment.)
I like it. There should also be a "delete" feature in addition to notification. Sort of a self-destruct dropbox (in the generic sense) to contain your most private and personal data -- bits you want to "take to the grave" with you, so to speak. They only exist there for as long as you respond to the ping, otherwise they're deleted. Maybe it's already thought about by the creators, but it's not apparent in the description. My $0.02
I bought deadmansswit.ch a couple of years ago and started building something similar to this, at least in terms of the "do something useful when a period of time with no contact had elapsed", but none of the "do something useful"s required needing your credentials for anything.
Domain is freely available again, I gave up on the project and rolled the useful code into something else.
I mean obviously the imagination readily conjures up movie scenarios, 'if anything happens to me your nefarious plans for world domination will be sent to the New York Times!' but in real life the evil overlord could counter that in half a dozen ways.
Is anyone here looking to use such a service, and if so, for what sort of purpose?
I thought of something similar to send tweets from the grave, you add an app to twitter and it'll start tweeting messages after you stop tweeting for 2 years.
I think an app on your phone is a better way, if the phone has not moved in the last 24 hours or whatever, then an email could be sent. Something like that.
You can reset the switch in any way you like, I was playing around with emailing through single-use codes and port knocking and so on. One I never got around to trying is a basic phone check: You have a cron job that scans all bluetooth devices within range and checks for your phone's MAC address. If it's there, it resets the timer. If you're out of physical range (or turn off your bluetooth) for too long, it triggers the switch.
Not quite what you described but it does perform some of the same function.
We're pretty much surrounded by internet wherever we go these days but still, I could imagine taking four weeks off without any access to the internet and wouldn't want people to think I died.
You'd need to only answer every email 27 days after receipt, which can be easily automated (no the answer, but you could delay it being shown in your inbox, or fowarded to your main or something) but it would be a pain to keep it up and not reveal info that could be harmful to the still-living you.
and when you die... spam everywhere? Is that really how you'd like to be remembered? :)
This particular implementation transmits sensitive data in the clear and does the encryption server-side, so it's hard to take it seriously except as a remote (and unsecure) notification service.
Aside from that obvious shortcoming, a truly secure and reliable DMS system would need the following properties, possibly more:
1. All data encrypted client side and sent to system only in encrypted form
2. Anonymous
3. Distributed (no single point of failure for DDOS attacks or subpoenas)
4. Any data sent into the DMS system is split into several pieces and only reassembled after the set time without a response has elapsed and the switch is triggered
A peer-to-peer application that transmits data exclusively via TOR would probably be most secure, but it's unclear what the motivation for running an instance of this kind of P2P application would be (since it's all encrypted you aren't downloading anything useful) or how many people would actively participate. Any server-based system would need to have a large number of servers in multiple countries to be robust to technical and legal challenges, and that sounds expensive. At the same time, a reliable and anonymous DMS system is something that I can see people paying a small subscription fee for.
Any way you slice it, it seems like there are a lot of hard problems to solve in this area, but a reliable DMS service would be extremely useful.