I saw this tiktok where this guy was talking about how he’d get his hands on real social security numbers… this was a clip from a whole story he told about some criminal shit, I was too distracted by my thoughts on how to fix the exploits he used.

Block chains and cryptographic signatures would solve basically every one of his exploits. But regardless of the myriad of reasons as to why we won’t adopt cryptography into American laws and bureaucracy, imagine if we did do everything involving government and policy in a cryptographically secure environment.

Imagine if everyone who is born gets assigned a gpg secret key signed by the government and that is your government ID for everything from opening a bank account to paying your taxes to claiming benefits. IMPO I think this is a perfect solution (iif you ignore the human element).

So my question is why wouldn’t it be perfect, and what kind of exploits could bad actors use in a cryptographic bureaucracy?

  • Anarch157a@lemmy.world
    link
    fedilink
    arrow-up
    20
    ·
    edit-2
    5 months ago

    if you ignore the human element

    And that’s you problem right there. The same people that can get tricked into revealing their SN#, mother’s maiden name, etc. are the ones who would reveal their private keys to a scammer.

    Fraud is a social problem, technology can assist in managing them, but not solve the issue. In the end, it’s all about the human factor.

  • CameronDev@programming.dev
    link
    fedilink
    arrow-up
    17
    ·
    5 months ago

    A gpg key has to be stored on something, and that can be stolen or lost. (Or degraded over time).

    You are essentially pushing for 1 factor authentication. Its a strong factor, but still just 1.

    • danhab99@programming.devOP
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      True,

      There are many ways to do this, for example a person can sign a new key with their old key when their old key is due to expire, we have many rotating government IDs.

      As for the human element, social security cards and driving licenses get lost/stolen/worn out too, crypto keys have the potential to be just as durable as existing solutions.

      • Rhynoplaz@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        5 months ago

        I hope I don’t have to remember all of my kids passcodes until they are old enough to have them themselves.

        • danhab99@programming.devOP
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          We’d need a purpose made gpg like system for this level of complexity so I have no doubt that there would be a way to have parents cryptographically prove they’re their children’s parents. It’s just a matter of design

      • fmstrat@lemmy.nowsci.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        You have the same problems we have with passkey today. If the key is compromised, and you don’t have a separate recovery method, how would a third-party know if you rotated the key or the attacker did? Keys are the way to go for these things, yes, but processes and management at a human level are required.

        • danhab99@programming.devOP
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          5 months ago

          Guys

          Guys

          Guys

          Cryptography doesn’t replace people… Some bureaucrat will probably manually generate keys for new people… If you make new keys you’re probably gonna go get them signed maybe even in person.

          It’s just supposed to replace the garbage ass id systems we have today with something more utilitarian

          • fmstrat@lemmy.nowsci.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            5 months ago

            Yes, that’s what I was saying. In any event, the US is the only country with a dumb sequential SSN anyway, since no one seems to want a secure national ID that everyone else has.

      • howrar@lemmy.ca
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        If you provide people with the means to replace lost crypto keys, then you’ve lost the security gained from using them.

  • jordanlund@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    5 months ago

    SSNs aren’t tricky by design.

    3 digit area number, 2 digit group number, 4 digit serial number.

    https://www.ssa.gov/history/ssn/geocard.html

    So 1,000 combinations x 99 combinations (00 is not a choice) x 10,000 combinations.

    990,000,000 potential SSNs. The only trick would be determining which ones are valid and which are not.

    (0… 0… 0… - 0… 0… - 0… 0… 0… 2 - DAMN YOU ROOSEVELT!)

    In any given area and group there are only 10,000 SSNs.

  • intensely_human@lemm.ee
    link
    fedilink
    arrow-up
    6
    ·
    5 months ago

    Fraud is conducting business under false pretenses.

    What you’re referring to with obtaining social security numbers is basically “identity theft”, a term which makes a lot of sense in cybersecurity.

    An SSN is basically (terrible) authentication credentials. So it’s credential theft. If you want you can call a bundle of credential factors an “identity” and then real life and computer identity theft become the same thing.

    So basically you can go two ways with it.

    One is fraud’s still the same and that wasn’t fraud per se that you were referring to before (except technically, in the sense identity theft is a subset of fraud).

    The other is that to get your hands on people’s credentials, you’d get a copy of that GPG key. Maybe that means physical access, stealing the key, whatever. If you said biometric then that’ll eventually be spoofable due to biotech.

  • SavvyWolf@pawb.social
    link
    fedilink
    English
    arrow-up
    2
    ·
    5 months ago

    Giving everyone a gpg is a fair idea (with pros and cons), but I’m not sure what you mean by including blockchain?

    • danhab99@programming.devOP
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      Any and all public record keeping would be done on a block chain. For example it’s not a secret who owns a given house, you can look up property and tax records. Smart contracts on a block chain work just as well as paper contracts if they’re given the same respect by the courts.

  • rufus@discuss.tchncs.de
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    5 months ago

    Well if they properly embraced it, you wouldn’t get one PGP key implanted at birth. I mean if that private key ever leaks, you’re screwed for the rest of your life. And the blockchain has sever shortcomings, too. It’s not anonymous, everyone can see every transaction and it’s not fast enough for lots of applications.

    It’d need to be implemented properly. And most importantly include privacy. You can’t just expose millions of people to every attacker. And please think of the not obvious cases… How someone operate it who’s in the hospital and unconscious… What if you lost your phone… How can you keep secrets from your (abusive) partner… What about separation of state and private companies… How to prevent a scifi dystopia…

    I think if like a few hundred millions of people are subject to it, it needs to be done properly. And I think that’d be possible if the government payed some experts to come up with a really good solution.

    Keys need to have sub-keys, IDs be randomized, there needs to be some human in the loop in case something goes wrong. Attestation and not just giving out everything to every company…

  • asudox@lemmy.worldM
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    4 months ago

    While I do think it would strengthen the security, anyone that can trick someone into giving them their SSN can also trick that someone into giving them their private key.

    This would be advantegous for everyone, but private keys would still be stolen.

    I’m all for a cryptography embracing government though. A GPG key is far superior to a short number sequence that can be predicted easily.

    Although not great, where I live, at least, we have a way to digitally sign digital documents using public key cryptography.

    One thing is that I believe we will eventually have cryptographic keys assigned to us instead of those insecure SSNs. But who knows when that will become reality.

  • afraid_of_zombies@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    5 months ago

    Continue to work for a government contractor I guess would be the easiest. It’s all a sick fucking river of dirty money. I do my best to stop it when I can but it’s like bailing out a lake with a bucket.

    However, if I wanted to change work I imagine the path would be to get an education in financial or insurance and then a job with some bank or insurance company. Be a fair amount of effort but I would be able to commit fraud on a much larger scale.

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    5 months ago

    Firstly blockchain will do nothing in this situation so let’s ignore that.

    as for gpg the problem is in order to decrypt the data you need to share the private key which is the exact same problem we currently have. You need to share your SSN for checks to be done and the orgs you share your SSN with are terrible at keeping them secure.

    While it is a nice thought experiment you aren’t doing anything new just replacing a SSN with a gpg all the same technical problems are there.

    • valaramech@fedia.io
      link
      fedilink
      arrow-up
      3
      ·
      5 months ago

      That’s kinda backwards, isn’t it? If I want to verify my identity to a company, they would send me something that only I could decrypt. Some government agency provides all the public keys of all citizens, the company takes my public key, encrypts some secret with it, sends it to me, and asks me to decrypt and return it. If I’m able to do so, I must be who I say I am otherwise I would not be able to decrypt the secret.

      In an ideal world, the company (or, even better, the employee) would have a similar certificate that I could use to encrypt my response with.

      • slazer2au@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        True, but you know orgs are going to want your private key anyway. Remember ssn is not suppose to be an identification system, it was never designed to be and yet it is used as such.

        If they are doing shit wrong with a SSN what makes you think they will do shit right with gpg?

        • valaramech@fedia.io
          link
          fedilink
          arrow-up
          2
          ·
          5 months ago

          In this theoretical system, ideally it’s illegal for anyone other than the person who’s supposed to have the private key to have it - excepting some subset of legal reasons (e.g. parents for their children). So, the only business that would be asking for people’s private keys are the kind that are already operating outside of the law.