Hacker News Comments on
DEF CON 23 - Chris Rock - I Will Kill You
DEFCONConference
·
Youtube
·
159
HN points
·
12
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this video.The mechanics of birth/death registrations was once covered in a Blackhat talk.
This reminds me of a Defcon talk.[0]In Australia before a certain date the states/feds didn't keep a record of your face if you got a licence/proof of age card. If you find yourself in this position all that is required is non photo id and a statutory declaration signed by friend to authenticate your identity.
This reminds me of the "I Will Kill You & Birth You" DEFCON presentation by Chris Rock.
⬐ KirillPanovHoly poop that video is hilarious. And great.Summary to convince you the link is clickworthy:
Basically death certificates are the "identity system" version of free(). They're how identities (which are valuable) become no longer valid. He shows how to hack this, which is much easier than the malloc() side since adult death certificates are valid immediately whereas adult birth certificates need to be aged (at least) 18 years.
It is stupidly easy to get certified as one of the roles (coroner, funeral director, etc) that are allowed to file death reports, which nowadays are just text boxes and clicking on a webpage. This results in a death certificate listing whatever the attacker desires. In particular, they get to declare the next of kin. These declarations fail to be validated shockingly often.
End results are (a) life insurance fraud (b) probate fraud and (c) pretty vicious revenge served cold, since getting declared dead causes a ton of huge problems for the target but not for a while (e.g. when passports come up for renewal).
His delivery is also awesome, a bunch of really funny deadpan jokes.
Best quote: slide title "reasons for killing someone". Last bullet point "Kill your opposing lawyer, the judge, or IRS auditor to slow them down."
On the subject of people being declared dead, there's a good defcon talk about abusing how easy it is to declare someone dead. "Chris Rock - I Will Kill You" https://www.youtube.com/watch?v=9FdHq3WfJgs
Death certificates aren't exactly hard to fake.
An alarming amount of societal functionality depends on what effectively amounts to the honor system. This is especially true when it comes to any sort of gatekept specialty profession, like coroners for example.There was a great talk at DefCon about faking death: https://m.youtube.com/watch?v=9FdHq3WfJgs
⬐ cortesoftI don't know if that is a solvable problem. Society is trust, and it always takes trusting someone to make any system work.People try to build trust-less systems all the time (like blockchains) but always run up against someplace where trust is required.
⬐ oefrha⬐ corporate_shi11Trust, but verify. In the TFA case at least, it shouldn’t be that hard to call the office’s number (not the filled out Google Voice number of course, but there has to be a number published by/available through reliable parties) and confirm “is it really your office who’s registering the domain”? if (printed on official letterhead) { return authorized; } is beyond stupid.⬐ cortesoftRight, but then you are trusting that number list... how is that generated? Can I call someone up and get that number changed?This is an incredibly important comment. You cannot legislate loyalty to the country. You cannot legislate morality. You cannot legislate most of what makes a country a hospitable place to make a life.Culture matters more than anything else.
Most jurisdictions (US and otherwise) have moved to Electronic Death Registration Systems. There was a fun Defcon talk about "killing" people with them a few years ago - https://www.youtube.com/watch?v=9FdHq3WfJgs
⬐ ScoundrellerAnd apparently a big problem if someone fat fingers your SSN and kills you by accident. Most systems aren’t design to unkill you to correct the mistake.
It's not only Facebook who have this process unsufficiently secured. The process for administering real death is also not really tamperproof. There is a hilarious defcon presentation on virtually killing someone and getting a real death certificate: https://www.youtube.com/watch?v=9FdHq3WfJgsImproperly reporting someone dead, or misrepresenting someone's will is something "you don't do" so the system is designed to minimize friction/pain.
> The United States. I assure you that even though other countries have credit reporting, they do not use SSNs.They use ID cards with at least some features to make forging said ID cards more difficult, unlike the US SSN which is pretty much just a number on a piece of paper.
This is mainly an issue of authentification and as long as your credentials remain crappy/easy to guess/easy to forge (like the US SSN system), that long it will stay easy to game the system.
Imho this def con talk about birthing and killing virtual babies might also be quite relevant to the issue, tho it's not entirely focused on the US: https://www.youtube.com/watch?v=9FdHq3WfJgs
The speaker's previous presentation at a different year of the same conference, about using online records to fabricate your own death or the birth of a made-up baby, is also worth watching: https://www.youtube.com/watch?v=9FdHq3WfJgs.
⬐ pilifThank you very much for posting this. This is nearly unbelievably bad and also reminded me of last weekend's discussion here: https://news.ycombinator.com/item?id=12511202 and brings that into a completely new light: Why even bother trying to vanish in order to fake your death when you might just as well just fill out the required forms on your own.
THe DefCon talk on this two years ago was pretty good.http://www.computerworld.com/article/2966130/cybercrime-hack...
Video of this talk: https://www.youtube.com/watch?v=9FdHq3WfJgs
⬐ rcontiI didn't see that one, but I saw his "How to overthrow a government" this year:
Reminds me of a DefCon speaker that talked about exploiting a bunch of websites to order death and birth certificates. Really eye opening, and potentially devastating if it's done to you.
⬐ swalshI haven't watched it yet, but most defcon social engineering talks take advantage of this innate thing in human nature that just assumes you're authentic. Probably because it's infinitesimally rare that someone is trying to run a con. Can be quite sobering, but at the same time, it's nice to know most people try to help others (even at the haste of security).⬐ TheDong⬐ seanwilsonWell, you should have watched it first because your comment isn't relevant.The talk is about exploiting terrible digital security, not social engineering.
⬐ hluskaYour comment is overly aggressive and rude - it has no place in a community like this.⬐ hkon...⬐ caminanteNot sure if you caught this, but swalsh's comment starts with:TheDong's not saying "RTFA" nor is he aggressive and rude."I haven't watched it yet..."
I've always been curious what happens if your records get hacked or accidentally lost/changed. How do you allow people to correct problems here without leaving it open to exploits?I'm guessing you're asked to prove who you are with data from lots of different departments (e.g. employers, passport office, bank)?
⬐ rwmj⬐ lostloginSorry to link to vice.com, but this article about the US "dead people database" was quite interesting. The database (predictably) gets things wrong occasionally because people mistype an SSN or whatever, and when that happens to you it seems to be very difficult to fix it: http://www.vice.com/en_uk/read/how-living-people-are-wrongfu...⬐ tastythrowaway2what's wrong with linking vice as a source?⬐ rwmjWell I was reading it, so I suppose I don't think it's that bad :-( However it is generally lightweight "yoof" nonsense.⬐ CPLXVice is arguably the most ambitious and credible investigatory broadcast news organization on the planet these days, save perhaps the BBC.⬐ ihswIt also opens itself up to peddling tripe for talentless hacks that have no business reporting the news much less writing tacky blog posts.Some of Vice is ambitious and credible, I was a huge fan of their Ukrainian Conflict investigative coverage and watched it regularly, but like I said Vice does peddle tripe.
⬐ jknoepflerTo be fair, tripe packaged clearly as "tripe" is fine, and has a place in my kitchen.⬐ ihswThis is an excellent point.A few of that here in New Zealand. People pick a grave of someone who would have been their age (ideally a baby as they won't have many documents associated with them). Get a birth certificate and use that to get more documenta. A member of parliament did it once. https://en.m.wikipedia.org/wiki/David_Garrett_(politician)
⬐ probably_wrongFor those looking into how this plays in real life, here are two articles from a legal humor blog: one about the man mentioned in the presentation[1], and another one aptly titled "Legally dead man sentenced to be actually dead"[2].[1] http://www.loweringthebar.net/2014/08/feds-say-legally-dead-...
[2] http://www.loweringthebar.net/2014/09/legally-dead-man-sente...
⬐ aw3c2> Unfortunately, this video is not available in your country because it could contain music from SME, for which we could not agree on conditions of use with GEMA.Thanks for using non-free music. :(
⬐ kephra⬐ JoeboyI there an alternate source for this video, who does not censor?⬐ NoneNone⬐ pille> Thanks for using non-free music.You're putting a lot of faith in GEMA's judgement on the matter, aren't you?
⬐ arsenideIf it is not a false judgment, then what is the problem?⬐ JoeboyThe video contains a fairly lengthy clip of Don't Fear the Reaper by the Blue Oyster Cult.UK undercover police recycled the identities of children who died young, borrowing a technique described in Frederick Forsythe's The Day of the Jackal.http://www.theguardian.com/uk/2013/feb/03/police-spies-ident...
⬐ TrevorJ⬐ fao_I'd be pissed if I was a parent of one of those kids.⬐ scott_karanaI'd look into suing them, too. "Willful impersonation" is probably illegal, unless there's some nasty LEO-covering provision.Perhaps put 'DEFCON 23 - ' in the title?⬐ chillydawgThat is fantastic.⬐ yockI'm missing the epilogue here. His video implies that he really went through this process with a real person, so where's the fallout?⬐ thisjepisjehttp://www.imdb.com/title/tt0060955/⬐ matt_morganThis title is kind of off-putting out of context, so here's what it's about (from the description on the video):"Have you ever wanted to kill someone? Do you want to get rid of your partner, your boss or your arch nemesis? Perhaps you want to enjoy your life insurance payout whilst you’re still alive. Do you have rich elderly parents that just won’t die quick enough? Or do you want a “Do Over” new identity.
Then, this presentation is for you! I’ll provide you with the insight and techniques on how to “kill” someone and obtain a real death certificate and shutdown their lives. It focuses on the lack of security controls that allow any of us to virtually kill off anyone or any number of people ...
The presentation will explain the death process and will highlight the vulnerabilities and its implications world-wide ...
The third and final step of the presentation is “The baby harvest”, a concept that I’ve developed, which involves creating and raising virtual identities ..."
⬐ jessriedelAmazing how similar this is to some academic physics papers in trying to make boring results more interesting by choosing ear-catching phrasing. I hear this stuff so much I immediately quit wanting to listen to the author.⬐ jMylesI gotta admit: I'm kind of a sucker for it. I like how the DefCon talks have a certain passion to them. Sometimes I think that people who are obsessed with inventing... well, we give off the vibe that we aren't excited about living our lives.I'm up at 5:24AM my time really taking a deep dive into twisted thread management. Why? Well, if I had a reason like, "I WILL KILL YOU," then I might actually want to answer that question.