So secure was the annual contest to fill three director and four officer positions that when one trustee lost his cryptographic key to unlock the results, the error made it impossible.
Assuming they were using threshold cryptography, they could have easily configured some redundancy into the system, e.g. by requiring 3 out of 5 people to decrypt it instead of 3 of 3.
It’s easy to blame the one guy for losing the key, but he could have gotten hit by a bus or lost the hard drive in a house fire and they would have been equally as screwed. This is more of a system design failure than a PEBKAC failure.
in complex systems design, you never blame human error. humans are fallible, and if the system doesn’t account for human error then it’s just a matter of time until failure occurs. look for a way to make the system tolerate or eliminate human error
Normal error theory even takes the view that errors are inevitable in complex systems and that you need to design them so that the effects of those errors can’t escalate.
literally the same concept as a comment i just wrote about russian hypersonic missiles breaking apart mid flight because they didn’t put limits on how fast they can change course when going mach 5 aha
look for a way to make the system tolerate human error
Ah, if only managers understood this principle.
My motto is that “all failures are management failures.” But I’m not far enough up the chain to really implement that 😅
idk i fuck up and release buggy code at least 10% as much as management makes dumb ass decisions
According to the article they changed the procedure to require 2/3 keys, so at least they learned that lesson.
Which is stupid, since the reason they had 3/3 was that two people could not collaborate to change the results, which they now can with 2/3.
Should have been changed to 3/5 instead.
Exactly, it’s worse all around.
And it’s not like it’s hard to use a different configuration; the threshold and total number of keys are just parameters of the algorithm.
Conspiracy time: Trustee #3 “lost” their key because polling suggested that they wouldn’t like the results.
I have no reason to believe that’s actually the case, but it’s interesting that the org uses a 3 key system to prevent collusion between trustees, but didn’t think about how this might enable lone-trustee sabotage.
Skill issue.
Fuuuck… okay people, I’m going to pass my hat around, and you just throw in a piece of paper with the name you voted for.
I’ve heard of secret ballots, but this is ridiculous!
In other news the owner of a vault whose key he threw away cannot access the contents.
It would be way worse if they somehow were able to decrypt the votes anyways without the key. Whether that be by retrieving the key from a backup or a flaw in the system. Because that would defeat the whole purpose.
All in all the technology they use is very interesting technically, but this event really demonstrates the tradeoff between security and convenience. Imagine if that was the election for a country… Oof
well the irony’d be in it anyway
—holy iambs, volume 14the vaultkeepers alliance misplacing the key is what makes this such an amazing onion, though you probably agree, and I guess “Cryptographers unveil backdoor to every key ever created after losing key” would be an even better onion
that’s why I’m hesitant to host vaultwarden myself as opposed to pay to use bitwarden
Well, I’m not sure how using bitwarden changes anything here related to losing your keys?
Hosting vaultwarden you are just restricting third parties from having access to your cryptographed data. (personaly, to me, that’s always better, since restricts possibilities of brute force - currently unfeasible for non-state actors, but who knows what will be achievable in 2, 4 years from now…)
If you lose the key* that unlocks your vault, be it vaultwarden or bitwarden, you will have effectively lost access to your vault either case.
*: losing the key is what seem to have happened in this election
I guess that trustee won’t be getting voted into any important positions in the re-run!
a manager put all his passwords in a file then set a password to open it. forgot it. made him a new account. zip file iirc
