Re: Red team attacks vs. cracking

To: debian-devel@lists.debian.org
Subject: Re: Red team attacks vs. cracking
From: Adam Borowski <kilobyte@angband.pl>
Date: Wed, 31 May 2006 00:48:45 +0200
Message-id: <[🔎] 20060530224845.GC17250@angband.pl>
In-reply-to: <[🔎] 200605301357.21550.baloo@ursine.ca>
References: <[🔎] 877j43k1k4.fsf@glaurung.internal.golden-gryphon.com> <[🔎] 200605301220.21247.baloo@ursine.ca> <[🔎] 20060530200206.GA17250@angband.pl> <[🔎] 200605301357.21550.baloo@ursine.ca>

On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> > > Even the guy at 7-Eleven has the big book of north american ID cards with
> > > pictures and descriptions of what makes a real one for when they
> > > encounter an ID that they've never seen before.
> > How can you check if an ID card is real based only on what is written
> > on the card, even if it has all the hallmarks mentioned in that book?
> If you don't trust the ID, you don't sign the key.  But having the book to be 
> able to get a bad feeling about the ID from sure beats the apparent current 
> system of "Sign the key and hope the ID is for real."

What I mean is, it makes no sense to believe that IDs provide any
real security.  I would rather trust some common sense.  A brief
Google search on the person's name where you look at page 6 and pick
something that the person whose key you're signing should know.

For example, my name is pretty popular, but it's still pretty easy to
pick a reference to me.  Taking a few random links yields:

* an ELinks patch for a bug with xterm detection
=> ask me what was wrong

* a translation of a task from the Polish Olympiad in Informatics,
  the task was authored by me
=> ask me to briefly describe a solution for the task

* a Usenet-to-webforum mirror of r.g.r.nethack with a post about
  "termrec", my enhanced implementation of ttyrec
=> you can assume that the upstream of a piece of software will know
   its inner workings pretty well

Generally, you can learn a few things about the person you're trying
to impersonate, but there is no way you can know everything.  And the
real person can describe things in detail...

Thus, given:
A) someone with a government-issued ID, or
B) someone with a random card that bears a photo: a chess club card,
   a Transnational Republic passport, etc
I see hardly any difference between person A and B.  I would trust
common sense, not any passport.

> > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > can sell you a perfectly valid passport for less than $50.
> > [...]
> > That's about what checking government-issued IDs is worth.
> Perhaps in that part of the world, yes.

Yes, you're right.  In the US, the ID may set me back perhaps even
$100 or more.  And the point is...?

Cheers and schtuff,
-- 
1KB		// Microsoft corollary to Hanlon's razor:
		//	Never attribute to stupidity what can be
		//	adequately explained by malice.

Reply to:

References:
- Red team attacks vs. cracking
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Red team attacks vs. cracking
  - From: Paul Johnson <baloo@ursine.ca>
- Re: Red team attacks vs. cracking
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: Red team attacks vs. cracking
  - From: Paul Johnson <baloo@ursine.ca>

Prev by Date: Re: Red team attacks vs. cracking
Next by Date: Re: Real Life hits: need to give up packages for adoption
Previous by thread: Re: Red team attacks vs. cracking
Next by thread: Re: Red team attacks vs. cracking
Index(es):
- Date
- Thread