
Dead Man's Switch - AndyBaker
http://deadmansswitch.org/
======
john_b
This is something I've thought about, and as I see it a lot of the problems
common to crypto software are manifest in this space as well. Specifically
with regard to security vs useability/ease-of-adoption issues.

This particular implementation transmits sensitive data in the clear and does
the encryption server-side, so it's hard to take it seriously except as a
remote (and unsecure) notification service.

Aside from that obvious shortcoming, a truly secure and reliable DMS system
would need the following properties, possibly more:

1\. All data encrypted client side and sent to system only in encrypted form

2\. Anonymous

3\. Distributed (no single point of failure for DDOS attacks or subpoenas)

4\. Any data sent into the DMS system is split into several pieces and only
reassembled after the set time without a response has elapsed and the switch
is triggered

A peer-to-peer application that transmits data exclusively via TOR would
probably be most secure, but it's unclear what the motivation for running an
instance of this kind of P2P application would be (since it's all encrypted
you aren't downloading anything useful) or how many people would actively
participate. Any server-based system would need to have a large number of
servers in multiple countries to be robust to technical and legal challenges,
and that sounds expensive. At the same time, a reliable and anonymous DMS
system is something that I can see people paying a small subscription fee for.

Any way you slice it, it seems like there are a lot of hard problems to solve
in this area, but a reliable DMS service would be extremely useful.

~~~
jarrett
In any protocol, how would you manage the decryption keys? If the file's owner
is dead, s/he can't provide the keys. So that means the keys must be
transmitted to some trusted party _before_ the owner's death.

That party could be the dead man's switch service, but do you want to trust
them? I wouldn't. (Nothing against the operators of this site. It's just
inherently risky to trust a website operator in this type of situation.)

Alternatively, the key can be given in advance to the files' intended
recipients via some secure channel. For example, suppose Alice wants Bob to
receive the files upon Alice's death. Alice can deliver the decryption key(s)
to Bob in person, electronically with PGP, or in some other sufficiently
secure manner. But in this scenario, Bob has to know about Alice's deadman's
switch in advance.

So I'm wondering: Is there any way to do this a) with encryption, b) without
entrusting the keys to the operator of the service, and c) without informing
the recipients in advance?

~~~
StavrosK
Yes, that's what PGP is for. Encrypt whatever you want to the recipient(s)'
public keys, done.

~~~
jarrett
I should have mentioned: I was assuming the recipients weren't necessarily PGP
users. Realistically, most people aren't. I'd imagine a dead man's switch
would often be used to send documents to law enforcement, lawyers,
journalists, etc. How many of those people have PGP public keys? If they
don't, then you have to ask them to create one. Besides the difficulty in
getting people to adopt PGP, you're also back the problem of disclosing your
dead man's switch prior to your death.

------
Ryel
I wish there was a better way of determining whether you were alive or not.

There's an endless number of possibilities as to what could happen in order
for me to not be able to go online and verify with that link. Why would I put
myself through the stress of potentially forgetting and now I have to worry
about the secrets of my dying breathe being released to the public while I'm
still around.

If I wanted anything to be taken care of I'd feel much safer keeping it in
offline storage with a note attached.

What I think you should do is have a tiered level of notifications. For
example an email every week is the first round of notifications. Then I wonder
if you could pull my last login info from major services that are going to be
around for awhile like Amazon, Google, Apple, Facebook(debatable), and if I
havent logged into any of those services in 1 week, then go to the final round
of notifications which is an in-person phone call.

~~~
whywhywhy5
How about a site where you enter your SSN? Then if you're ever listed as
deceased in the Social Security Death Index, that will be the trigger.

~~~
steveklabnik
SSNs aren't unique, so this seems quite risky.

~~~
benmanns
Wow! I had no idea. According to [http://www.idanalytics.com/news-and-
events/news-releases/201...](http://www.idanalytics.com/news-and-events/news-
releases/2010/8-11-2010.php)

> More than 15 percent of SSNs are associated with two or more people. More
> than 140,000 SSNs are associated with five or more people. Significantly,
> more than 27,000 SSNs are associated with 10 or more people.

~~~
steveklabnik
Yup. It was stated over and over again that SSNs were not supposed to be a
form of ID, but nobody pays attention...

~~~
jimktrains2
I've always wondered how the SS administration deals with this. SSN _should_
be unique, but in practice they're not, so how do these people deal with taxes
and _gasp_, social security?

~~~
chid
If I were to guess I'd say they use other ID factors such as name/dob

------
simonswords82
This is an idea that has been around in various forms for a number of years. A
number of other sites have popped up but like a number of people have already
said, I don't trust random third parties with the keys to my online life.

~~~
noir_lord
Two keys, you put one on memory sticks which you give to friends/family you
trust.

In the event anything happens to you the other key is sent to those people
allowing them to decrypt it.

Service can't access your data as it only has one and same for trusted person.

I'm sure something like this already exists (and tbh the level of effort
required to set it up pretty much makes it unlikely to catch on) but it is
theoretically workable.

~~~
bentcorner
You don't need any keys. Just say "I wrote how to log into my email on a piece
of paper in the safe deposit box. You may have found it already."

~~~
mitochondrion
But that doesn't have enough points of failure!

------
alasdair_
Excellent way to make money :)

Just run this service for a few years without actually encrypting the data,
then charge $20/month to NOT release the information.

~~~
Corrado
This reminded me of the old Monty Python sketch "Blackmail"[1] where they
charge people to _not_ release information. The longer you wait the more it
costs you. Very funny stuff. :)

[1]
[https://www.youtube.com/watch?v=wZgwNutwK0Y](https://www.youtube.com/watch?v=wZgwNutwK0Y)

------
whileonebegin
Better solution?

Google Inactive Account Manager
[https://support.google.com/accounts/answer/3036514](https://support.google.com/accounts/answer/3036514)

And for sending emails in the future:

Boomerang for Gmail [https://chrome.google.com/webstore/detail/boomerang-for-
gmai...](https://chrome.google.com/webstore/detail/boomerang-for-
gmail/mdanidgdpmkimeiiojknlnekblgmpdll)

------
gprasanth
Haha. Very sensitive code over http!

~~~
theboss
Not even just the code....your password and email are both over http.......

~~~
jimktrains2
The form action for login appears to be https, but not the code...

I don't know why people bother not just httpsing everything if they have the
cert. It avoids these types of worries and appearance.

~~~
theboss
The form action for registration is not https. Also, they have nothing to
prevent a MITM from changing where the form action goes.

Why would anyone use this...

~~~
jimktrains2
I see this:

    
    
    						<form method="post" action="https://deadmansswitch.org/userhome.html">
    							Email:<br />
    							<input type="text" name="email" /><br />
    							Password:<br />
    							<input type="password" name="password" /><br />
    							<input type="submit" name="login" value="Log in" /><br />
    							<a href="/createaccount.html" title="Create an account">Create an account</a>
    						</form>
    
    

Also, what does/can anyone do to prevent a MITM attack? Even if thy sent a
HSTS header or a redirect, they're still subject to that.

~~~
theboss
That is the login form. I'm not sure how to paste code onto hacker news so
here is a pastebin of the registration form.

[http://pastebin.com/Ctkw6S2h](http://pastebin.com/Ctkw6S2h)

Well a better practice would be all HTTPS for the site. There are a lot of
problems with this and I will probably write a blog post about it.

Everything about this site misses every best practice. 1\. No CSRF tokens 2\.
Small secret tokens to trigger the switch. 3\. passwords over http...

It's a joke.

~~~
jimktrains2
/me is unable to read :( sorry abotu that

Yeah, it is. Especially since their cert is over a year dead.

------
tempodox
It broke: <pre> Could not open file (/tmp/deadmansswitch//Apache-
Session-1d3379ba5947e7943750160d5cfee2c7.lock) for writing: No space left on
device at /usr/local/share/perl/5.14.2/Apache/Session/Lock/File.pm line 75.
</pre>

~~~
flym4n
[https://web.archive.org/web/20140101055243/http://deadmanssw...](https://web.archive.org/web/20140101055243/http://deadmansswitch.org/)

------
allochthon
Interesting site. Hope it is difficult to break into.

Does anyone know what happened with the woman who put up a post on Facebook (I
think) saying that if people didn't hear back in a certain amount of time, she
had last been to visit some guy? I am having a hard time finding the HN link.

------
gourneau
One of my favorite short stories of all time is titled Death Switch, written
by David Eagleman. It is about this idea extrapolated, well worth a read :
[http://deathswitch.com/deathswitch.pdf](http://deathswitch.com/deathswitch.pdf)

------
bigmario
I don't think anyone's said it yet, but... this is what an attorney is for.
This website is stupid.

It's bad enough to trust any confidential information completely to a third
party, let alone a website that could lose your information or go defunct in a
few years. At least disclosures to attorneys are legally protected to the n-th
degree, and the business is brick-and-mortar with a known location.

Add to that the fact that a regular e-mail is something that could easily be
forgotten about, caught by a spam e-mail, lost when you switch accounts, etc.
The problems with this idea are endless

------
jonalmeida
I too have thought about this. How am I going to pass on my account
information/bitcoins and other secret detective work?

My idea was to open a security box in a bank that contained hand written keys
to open an encrypted password store in some publicly accessible location.

If I died, that security box should go to the next family members who would be
the only ones that can get access to it.

I fear there are loop-holes in that idea now..

~~~
err4nt
ever heard of geocaching? The idea is that you leave things hidden around the
world with GPD coordinates and hints of the location and other geocachers will
grab their GPD devices (or smartphones) and hunt down your cache based on the
location provided and your hints. It's like a big scavenger hunt.

What if you looked up caching 'best practices' for how to safely store items
for in the weather, then stashed your valuable information somewhere _nobody_
would find it. Keep track of the location the same way you would a geocache,
but obviously don't publish it publicly. Then all you need to do is leave the
cache-retrieving information in your legal will and the right people will have
access to it at the right time, and it's as safe from prying eyes as you're
ever going to get in the meantime :)

------
chrisBob
This seems like a good option if I am ever in an action movie and I need to
tell the bad guy that all of the information will be released to CNN and the
NYT if anything happens to me.

If I come up with something I can't tell my wife while I am alive, I will
probably just put it in my will.

~~~
jliptzin
What prevents the bad guy from torturing you until you disable the DMS, then
kill you?

~~~
tormeh
Any good DMS of that calibre can't be disabled. The operator must take upfront
payment and not care if you die or not, only fulfilling a contract you can't
go back on. Sounds like something a Swiss bank could do for you, if stereotype
is to be believed.

~~~
jliptzin
Well, that may be so, but try explaining that to a (probably) not so
intelligent bad guy who will just continue torturing you. Maybe a good feature
for a DMS system would be a fake shut off switch that appears to be convincing
to an adversary.

------
tlrobinson
I wouldn't trust a random service like this with anything worth putting on a
dead man's switch. At a minimum you should use PGP, but sadly most the people
I'd want to use this with have no idea what PGP is. Maybe Keybase.io will
eventually help with that.

------
baby
I've thought about that service a lot and this solution is not working because
:

* I have to constantly check my mails to prove I'm not dead

* The other person's mail will without any doubt change if I die in 10+ years

* Can this service live up to 50+ years? I'm really doubting that as well.

~~~
bentcorner
> * I have to constantly check my mails to prove I'm not dead

It nag mails you so you don't forget. Otherwise, add a reminder with a link to
click on on the first of every month.

> * The other person's mail will without any doubt change if I die in 10+
> years

You'll be clicking on this thing every month, I'm pretty certain if your SO's
email changes you'll update it at that time.

> * Can this service live up to 50+ years? I'm really doubting that as well.

It only needs to be up when you die, again, you're clicking on this thing
every month, if the service dies and you find utility in the concept, you'll
find a different service to use.

~~~
baby
> you're clicking on this thing every month

That's a huge problem. You tell me I have to click on a link at least once a
month for the rest of my life.

First, I don't know if I'll have the same email for the rest of my life, if I
change I'll have to think about changing that notification, that will have
become spam in my mind.

Second, There surely will be a month in my life where I won't check my mails.

I can't think further, the thing has become a "hassle" that I have to
constantly check and correct if someone change its mail, or in case it would
think I'm dead, and this, for the rest of my life.

IMO there are better solutions for this type of problem, we just haven't found
them yet.

~~~
bentcorner
> That's a huge problem. You tell me I have to click on a link at least once a
> month for the rest of my life.

 _shrug_ from the point of view of someone who has opted in, this isn't a big
deal. People don't change email addresses that often, and if you're the type
who doesn't check email for longer than a month, then yeah, this isn't for
you.

The bigger problem is that this service is hard to test. When you _really_
want it to work there really isn't a second chance. Which means you shouldn't
be relying on this thing 100%. It's best to put something in your will and
instructions in a safe place.

~~~
baby
> from the point of view of someone who has opted in, this isn't a big dea

Maybe you're not familiar with that kind of thing. Give it time, it will
become a hassle to your mind and you will opt out at some point if the service
hasn't shut down yet.

> People don't change email addresses that often

Did you have the same email address 10 years ago? If so woah, I don't know a
lot of people who do.

> if you're the type who doesn't check email for longer than a month

I said at one point in life. I can see myself taking the transiberian for
example, travelling through Australia, etc... for a month in a big adventure
without internet.

It's hard to predict what's going to happen in your life. Being sure that
you'll have internet at least once a month for the rest of your life is a ...
extraordinary prediction.

------
Vespasian
Hmm I don't like the idea of involving a third (untrusted party) with what
could be basically the key to your whole online identity.

I would love to see a system which allows your heirs to access online accounts
without having to fear that a simple government request will hand them
everything they need on a silver plate (including stuff not obviously related
to you).

Probably physical objects need to be involved (code on paper etc) but then
again how to make sure the next best burglar doesn't get the prize of his
lifetime.

Does anyone know of such a solution?

~~~
tbrownaw
_Probably physical objects need to be involved (code on paper etc) but then
again how to make sure the next best burglar doesn 't get the prize of his
lifetime.

Does anyone know of such a solution?_

Put it in a safe deposit box at your local bank?

~~~
Domenic_S
Pretty much.

All my online logins are long random passwords stored in either 1Password or
my phone. I've considered writing up my password (to 1PW), and computer unlock
PW, and dropping it in my safe deposit box, updating it monthly or whenever I
change those passwords.

Any good reason not to?

~~~
roywiggins
First thing that comes to mind- not a lawyer but:

It's probably going to be harder to force you to divulge a password in a court
case than to just subpoena the piece of paper with your password on it and the
computer with the 1PW database.

------
Houshalter
Please no one actually use this. There is no reason to trust this site with
sensitive information, and there is even some evidence it may no longer be
maintained (see logn's comment.)

------
eplanit
I like it. There should also be a "delete" feature in addition to
notification. Sort of a self-destruct dropbox (in the generic sense) to
contain your most private and personal data -- bits you want to "take to the
grave" with you, so to speak. They only exist there for as long as you respond
to the ping, otherwise they're deleted. Maybe it's already thought about by
the creators, but it's not apparent in the description. My $0.02

~~~
eurleif
Meh, why not just store them locally (or on Dropbox) encrypted with a key only
you know?

------
rys
I bought deadmansswit.ch a couple of years ago and started building something
similar to this, at least in terms of the "do something useful when a period
of time with no contact had elapsed", but none of the "do something useful"s
required needing your credentials for anything.

Domain is freely available again, I gave up on the project and rolled the
useful code into something else.

------
rwallace
I'm curious, when would you actually use this?

I mean obviously the imagination readily conjures up movie scenarios, 'if
anything happens to me your nefarious plans for world domination will be sent
to the New York Times!' but in real life the evil overlord could counter that
in half a dozen ways.

Is anyone here looking to use such a service, and if so, for what sort of
purpose?

------
neotek
For a second I thought this was a link to
[https://deadmanssnitch.com](https://deadmanssnitch.com), which is a
fantastically simple cronjob monitor.

------
jlebrech
I thought of something similar to send tweets from the grave, you add an app
to twitter and it'll start tweeting messages after you stop tweeting for 2
years.

------
zw123456
I think an app on your phone is a better way, if the phone has not moved in
the last 24 hours or whatever, then an email could be sent. Something like
that.

~~~
buffsquid
I wrote a quick bash script for running a simple dead man's switch a few years
ago: [http://blog.mcglew.net/2012/09/dead-mans-switch-on-linux-
par...](http://blog.mcglew.net/2012/09/dead-mans-switch-on-linux-
part-1-basic.html)

You can reset the switch in any way you like, I was playing around with
emailing through single-use codes and port knocking and so on. One I never got
around to trying is a basic phone check: You have a cron job that scans all
bluetooth devices within range and checks for your phone's MAC address. If
it's there, it resets the timer. If you're out of physical range (or turn off
your bluetooth) for too long, it triggers the switch.

Not quite what you described but it does perform some of the same function.

------
sitkack
Why would I send sensitive data to an unknown website? Makes no sense. And if
the data is too valuable, good reason to kill me and get a treat.

------
chrisBob
30 days seems long, but I guess if I am in a hurry I could set up 10 of them
with 3 days in between so that it is always 72 hours out...

~~~
hatu
We're pretty much surrounded by internet wherever we go these days but still,
I could imagine taking four weeks off without any access to the internet and
wouldn't want people to think I died.

------
Lambent_Cactus
This is a scary thing to be the person running, no? Could be the hook for a
great thriller.

------
codesuela
> Every effort is made to protect your information

except for hosting the service in NSA country

------
Inversechi
Looks like the certificate on this site has since expired.

------
jlebrech
here's another type of dead mans switch, embed 'where now() < '1st January
2016' in your SQL :)

------
dfcarney
At least nobody can say the NSA isn't creative.

