[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: more developer identity stuff



On Sat, Aug 29, 1998 at 04:28:23AM -0400, Gregory S. Stark wrote:
> 
> Raul Miller <rdm@test.legislate.com> writes:
> 
> > Ossama Othman <othman@astrosun.tn.cornell.edu> wrote:
> > > Would the fact that I am listed in Cornell's online directory serve as any
> > > proof of identity, or will I still have to send copies of official
> > > documents?
> > 
> > The problem is: how do we know that you're you?  Sending the
> > official documents isn't really adequate (since we don't know
> > that you're not sending someone else's official documents).
> > And we can assume that you're in the cornell official directory
> > because you have a cornell official email address.
> > 
> > At least if you send images derived from the official documents, and
> > they correlate with your email address, it's fairly plausible that you're
> > not being spoofed by someone else.
> 
> I don't understand this at all. I'm sure there are plenty among us (myself not
> included) who could hack up a convincing looking image of a Cornell ID given a
> few hours in the Gimp. I don't see how this offers any authentication at all.

Hate to say it (since I sent in a photocopy of my drivers license fo rmy
identity check)  but I could do it...without even the GIMP!

In high school I used to scan yearbook photos and do some cut&paste 
jobs... I did some real nice work with nothing more than a Mac and 
"Thunderscan" no fancy tools. I swear...some pics I made look REAL!
(and putting one head on another body and making it look even somewhat
authentic is a bit tougher than making a believeable fake ID)

> On the other hand, if you call up cornell's main number and ask for Ossama
> Othman by name, you can be fairly sure it's the right person. At worst it
> could be a roommate or someone else close that can be tracked down, not just
> anybody on the internet with a good hand at forgery and possibly malicious
> intent.
> 
> I thought we were moving away from the scanned documents thing and towards
> using verified phone numbers from phone books or such. Affadavits from notary
> publics would be reasonable too, but not every country has an exact
> equivalent.
> 
> I hope people realize the ideal mechanism is a PGP signature directly by
> another debian developper, or indirectly via people who are widely trusted to
> understand PGP signatures and how to use them. With the current size and
> diversity of the debian keyring it should be increasingly feasible to find
> trust paths that join people.

It was said best on a news story I saw once (normally I don't watch the news
due to its lack of information I care about...I just don't really care about
peopel in general...and my interest in politics has fallen) "In this country
today we really have NO valid form of identification"

With enough money and time anything can be forged.  The point is that 99%
of all the people who would try to join the project under fake names or try
to do harm to us are NOT skilled in this...and are NOT motivated enough
to get past this simple check.

Most who would even think of it just turn away. The fact remains that no 
matter what we do anyone with a working brain, some technical knowledge, and
the will to do us harm CAN.

Its like anything... You can train SS agents...you can enclose the whitehouse..
do whatever... This stops the casual idiot with a gun from killing the
president...they will get caught before they ever get even nearly close.

Though...if someone really wanted to....Killing the president wouldn't be
impossible...or really even too hard 

(note: While I am sure this e-mail is probably setting off some sort of 
keyword scanner somewhere...let it be known that while I am very 
anti-government and rather indiffernt to what happens...I myself have 
no desire nor any plan to carry out any such acts.. - while I am
sure being on "the list" would be pretty cool to brag about...and chats
with the SS could be fun for a person with a sick sense of humor like me
I am not in the mood for it)

in any event...the point is that stopping the casual trouble maker really
is all we can expect to do. Besides (paranoia kicking in) whose to say
that anyone wishing to do us harm isn't already among our ranks? 

or are we to make such verifications retroactive :) (that could be a mess)

ok...maybe I just rambled on for nothing...maybe I made no sense with that
The idea that our current system stops the "casual trouublemaker" wasn't
my original thought but...was someone elses a bit back....
and its 5:37 am here... my web page update is uploaded...
mail is downloaded... Infomagic CDs are ordered.... now time to sleep

-Steve

-- 
/* -- Stephen Carpenter <sjc@delphi.com> --- <sjc@debian.org>------------ */
E-mail "Bumper Stickers":
"A FREE America or a Drug-Free America: You can't have both!"
"honk if you Love Linux"

Attachment: pgpyR2UyVux6G.pgp
Description: PGP signature


Reply to: