Re: [Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys
On 25 May 2006, Stephen Frost spake thusly:
> * Manoj Srivastava (srivasta@acm.org) wrote:
>> On 25 May 2006, Stephen Frost spake thusly:
>>> I wasn't making any claim as to the general validity of IDs which
>>> are purchased and I'm rather annoyed that you attempted to
>>> extrapolate it out to such. What I said is that he wasn't trying
>>> to fake who he was, as the information (according to his blog
>>> anyway, which he might be lieing on but I tend to doubt it) on the
>>> ID was, in fact, accurate.
>>
>> He has already bragged about how he cracked the KSP by presenting
>> an unofficial ID which he bought -- an action designed to show the
>> weakness of signing parties. So, this was a bad faith act, since
>> the action was not to show an valid, official ID to extend the web
>> of trust, but to see how many people could be duped into signing
>> his key.
>
> Pffft. Again, I call foul. That was as much 'bragging' as any
> scientist reporting on a study. It *wasn't* done in bad faith, as
> the information on the ID (now independtly confirmed even) *was*
> accurate.
Cracking is not a scientific study.
>> Given that he is acknowledges trying to dupe people, why do
>> you think he is not lying about the contents of the ID?
>
> He didn't try to dupe people and this claim is getting rather old.
He did dupe people --- into signing based on an unofficial
document which can be purchased at will. And it is obvious that
large KSP's have tired people, doing a repititive task, and have a
lot of people unfamiliar with key signing. The conclusion was
foregon -- rartely do people have scientific studies belabouring the
obvious.
> Duping people would have actually been putting false information on
> the ID and generating a fake key and trying to get someone to sign
> off on the fake key based on completely false information. The
> contents of the ID were accurate, as was his key, there was no
I, for one, have no way of knowing if that was not the case.
> duping or lying. Whineing that he showed a non-government ID at a
> KSP and saying that's "duping" someone is more than a bit of a
> stretch, after all, I've got IDs issued by my company, my
> university, my state, my federal gov't, etc. Would I be 'duping'
> people if I showed them my company ID? What about my university ID?
> Would it have garnered this reaction? I doubt it.
The directive at the KSP was that you showed people an
official pho ID -- a passport if you had one, or whatever you had
available if you were local. Putting in a purchased card (I know
there are several places around that create official looking docments
in exchange for money is subvering the KSP).
>>> If you're upset about this because you had planned to sign it and
>>> now feel 'duped' then I suggest you get past that emotional hurdle
>>> and come back to reality.
>>
>> Rubbish. The reality I am concerned about is someone cracking the
>> KSP and duping people into signing his hey when they had been
>> fooled into thinking they were looking at an unfamiliar official
>> ID.
>
> The reality is that you're turning this into something much, much
> larger than it actually is.
I can't help it if you think presenting unofficial ID at a
debian KSP does not amount to much. I tend not to dismiss gaming web
of trust issues dismissively.
> If you're actually concerned about someone cracking the KSP then
> what you *should* be doing is attempting to educate people on the
> dangers of KSPs in general, not going after someone who happened to
> point out that not everyone checks IDs very carefully (an
> unsuprising reality but one which now has a good measure of proof
> behind it to base change upon).
Heh. I guess we need to have proof of the unsurprising fact
that people bleed when pierced with 6 inches of sharp steel too?
Would that be "just a scientific study" to you?
Either the KSP was subverted, i which case we have something
to educate people about, or
> 'Cracking' the KSP, such as one could, would be coming up with a
> fake identity entirely and trying to get people to sign off on it.
How do you know that is not what happened?
> Even that isn't actually all that *dangerous* until someone grants
> some privilege based on that signature.
The Next time that key signs a NM candidates key, and that sig
is used to get someone into Debian, privileges would have been
granted from a tainted signature.
> That *isn't* what happened here,
No? You can prove that?
> and, indeed, being rather well known (it seems) there would have
> made it more difficult for him to pull off than, say, someone off
> the street.
Well known to whom? I, for one, did not know very many people
at the conference, and large chunks of people were in my shoes.
Also, people who did know the perp were unlikely to look closely at
the fake documents being brandished.
>>> No one 'crack'ed anything here (that we know of anyway) and while
>>> not signing his key because of this is reasonable, or even
>>> revoking a signature which had been based on this ID, the constant
>>> inflammatory claims of Martin being a 'cracker' and how this could
>>> lead to other 'cracks' is extreme, insulting, and childish.
>>
>> And I think your attitude is naive, optimistic, and
>> dangerous. This was a subversion of the KSP. Admittedly, KSP's are
>> fragile, and people get tired, and glassy eyed from looking at too
>> many unfamiliar official looking documents. It takes little social
>> engineering to fool people into signing based on fake documents.
>
> Again, there was no subversion, the information on his ID was
> accurate. I'm tired of you blowing things way out of proportion,
> this being just the last in a trend you seem to have towards
> sensationalizing things. :/
I am tired of you trying to put a good face by making
statements you can't prove. How do you know the information was
accurate?
>
>> Admittedly, in the world of cracking this is the equivalent of
>> running off with the handbag of an old lady on crutches, which is
>> why one speculates about where the next crack is headed for.
>
> I disagree with the analogy entirely, but even more so doubt that
> anyone but you is speculating about "where the next crack is headed
> for". How you made the leap from presenting a non-gov't ID at a KSP
> to dangerous cracker is far beyond me.
The KSP was cracked, People signed a key without ever looking
at proper, official ID. You can try and save face by calling it
whatever you want, but that does not change the reality.
manoj
--
Anything free is worth what you pay for it.
Manoj Srivastava <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: