The most telling or disturbing thing I learned from a recent article posted here about the Crypto-related kidnappings was how criminals found some of their victims’ addresses and personal information in marketing data that companies kept on their customers.
mcintyre1994 · 1h ago
The recent Coinbase leak is mostly stored KYC data AFAIK, so even if the company isn’t using it for marketing, they’re probably being forced to store data that they’re not responsible enough to protect.
echan00 · 50m ago
If the title read 'human charged with kidnapping a d torturing a man' instead does that mean all humans are bad? I fail to see the linkage here
tux3 · 23m ago
The whole point of the kidnapping and torture was to steal bit coin cryptocurrency.
Of course it's material to the story. It'd be conpletely artificial to pretend otherwise.
When the weakest link between the criminal and the cryptocurrency is a single person (the holder himself in this instance), that person alone would need to withstand all attacks and “rubber hose cryptanalysis”.
fallinditch · 4h ago
The most effective protection is a combination of discretion, strong security practices, and advanced wallet configurations like multisig and passphrase protection.
You could store passphrases in a hardware wallet in a bank vault in a small European country.
thebruce87m · 1h ago
> You could store passphrases in a hardware wallet in a bank vault in a small European country.
A little bit of irony here having to store your crypto related stuff at a bank to keep it safe.
grues-dinner · 1h ago
And in the "socialist" Big Government over-regulated hellscape of Europe no less.
I would have thought one of those libertarian seasteads or enclaves would be axiomatically the best place for such things?
Physical security for digital credentials is the main point here, that doesn't always imply a regular bank, many modern banks lack the bank vaults of yore in any case.
This is part of why I designed Tarsnap to keep data as secure as possible, even from me. If someone stores their crypto keys -- or world domination^W optimization plans -- on Tarsnap, I don't want to get kidnapped and tortured by anyone trying to steal that data.
episteme · 1h ago
If torturing and kidnap are on the table, how does this help? They can torture you to give them the keys just like a password.
j3th9n · 1h ago
You might want to study asymetric cryptography.
chistev · 4h ago
Who can access it?
ta988 · 4h ago
the person who uploaded it only (or whomever they shared keys with)
lazide · 1h ago
Okay, so kidnap them, right?
brazzy · 3h ago
You really think the kind of people who do such things will read your website and just give up? "Aw shucks, he's using e2e encryption, no point trying anything"?
razemio · 2h ago
You missunderstood the comment. He can not access the data. You need to find the person who uploaded it, despite him hosting said data.
VTimofeenko · 2h ago
I think you misunderstood the comment. Or maybe I did.
My understanding: the rubberhose crypto-analysis, even if unsuccessful, will result in some major damage done. Determined attacker might try to apply it regardless of any online statements on the off chance that the statements are wrong.
brazzy · 51m ago
You understand correctly. I suspect that in the experience of such attackers, it's not even an "off chance". They're probably up against exaggerated claims of security more often than truly well-founded ones.
brazzy · 59m ago
And you really think that people who routinely use torture to extract information, and for whom claims that "I don't know it!" is basically the standard obstacle to overcome, will just believe him without even trying, because it's "math" and therefore true?
The reality is, in the xkcd Rubberhose cryptanalysis scenario, being actually unable to give up the information is a MUCH WORSE situation to be be in than having a key to give up before they permanently maim/kill you. It might be better for a third party who benefits from the information remaining secret, but not for the person unable to divulge it.
But thinking you're safe because the attackers will read, understand, and believe your claims of uncompromisable cryptographic security is dangerously naive.
razemio · 34m ago
Ah okay, I get what you mean now. I thought your comment was suggesting he actually can access the information.
I still believe, which might indeed be naive, that this is the best way. It results in a failed mission lowering the risks for others and if applied for all theses services (again naive), in a general understanding.
private_island · 3h ago
Bring back the penny. A bag of them can be used to stop an attacker.
blooalien · 1h ago
> Bring back the penny. A bag of them can be used to stop an attacker.
You'll just have to use a sock fulla nickels now I guess ... :shrug:
Great job score one for crypto holders who plan on not revealing their key under torture.
add-sub-mul-div · 4h ago
Technology isn't even a cool field anymore, the major innovations (crypto, blockchain, AI) have such a film of sliminess around them. You have to ignore or be ignorant of the fact that they're going to be used for scams and bullshit more than for good.
stephenr · 3h ago
> the major innovations
You mean the overhyped extremely niche technologies?
nailer · 3h ago
The idea that a technology that challenges Google search, and digital money are ‘niche’ is… odd.
bpodgursky · 4h ago
This is said to happen in Russia all the time, except the police never intervene and the bodies are just incinerated once the keys are tortured out.
greatpostman · 4h ago
Theres alot of really rich crypto people in nyc that are up to no good.
Of course it's material to the story. It'd be conpletely artificial to pretend otherwise.
You could store passphrases in a hardware wallet in a bank vault in a small European country.
A little bit of irony here having to store your crypto related stuff at a bank to keep it safe.
I would have thought one of those libertarian seasteads or enclaves would be axiomatically the best place for such things?
Physical security for digital credentials is the main point here, that doesn't always imply a regular bank, many modern banks lack the bank vaults of yore in any case.
Tangentially, avoid showing up unannounced at grandparents house: https://www.youtube.com/watch?v=oZZmFG07OVs
Personal and physical security for founders, operators, and investors
[0] https://a16zcrypto.com/posts/article/personal-physical-secur...
Maybe there should be a version for investors to stay safe from a16z also
My understanding: the rubberhose crypto-analysis, even if unsuccessful, will result in some major damage done. Determined attacker might try to apply it regardless of any online statements on the off chance that the statements are wrong.
The reality is, in the xkcd Rubberhose cryptanalysis scenario, being actually unable to give up the information is a MUCH WORSE situation to be be in than having a key to give up before they permanently maim/kill you. It might be better for a third party who benefits from the information remaining secret, but not for the person unable to divulge it.
But thinking you're safe because the attackers will read, understand, and believe your claims of uncompromisable cryptographic security is dangerously naive.
I still believe, which might indeed be naive, that this is the best way. It results in a failed mission lowering the risks for others and if applied for all theses services (again naive), in a general understanding.
You'll just have to use a sock fulla nickels now I guess ... :shrug:
You mean the overhyped extremely niche technologies?
considering that the crypto investor was a man and assuming that the man acquired the wallet he was tortured for by investing in crypto.