[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys

* Manoj Srivastava (srivasta@acm.org) wrote:
> On 25 May 2006, Stephen Frost spake thusly:
> > I wasn't making any claim as to the general validity of IDs which
> > are purchased and I'm rather annoyed that you attempted to
> > extrapolate it out to such.  What I said is that he wasn't trying to
> > fake who he was, as the information (according to his blog anyway,
> > which he might be lieing on but I tend to doubt it) on the ID was,
> > in fact, accurate.
>         He has already bragged about how he cracked the KSP by
>  presenting an unofficial ID which he bought -- an action designed to
>  show the weakness of signing parties. So, this was a bad faith act,
>  since the action was not to show an valid, official ID to extend the
>  web of trust, but to see how many people could be duped into signing
>  his key.

Pffft.  Again, I call foul.  That was as much 'bragging' as any
scientist reporting on a study.  It *wasn't* done in bad faith, as the
information on the ID (now independtly confirmed even) *was* accurate.

>         Given that he is acknowledges trying to dupe people, why do
>  you think he is not lying about the contents of the ID?

He didn't try to dupe people and this claim is getting rather old.
Duping people would have actually been putting false information on the
ID and generating a fake key and trying to get someone to sign off on
the fake key based on completely false information.  The contents of the
ID were accurate, as was his key, there was no duping or lying.
Whineing that he showed a non-government ID at a KSP and saying that's
"duping" someone is more than a bit of a stretch, after all, I've got
IDs issued by my company, my university, my state, my federal gov't,
etc.  Would I be 'duping' people if I showed them my company ID?  What
about my university ID?  Would it have garnered this reaction?  I doubt

> > If you're upset about this because you had planned to sign it and
> > now feel 'duped' then I suggest you get past that emotional hurdle
> > and come back to reality.
>         Rubbish. The reality I am concerned about is someone cracking
>  the KSP and duping people into signing his hey when they had  been
>  fooled into thinking they were looking at an unfamiliar official ID.

The reality is that you're turning this into something much, much larger
than it actually is.  If you're actually concerned about someone
cracking the KSP then what you *should* be doing is attempting to
educate people on the dangers of KSPs in general, not going after
someone who happened to point out that not everyone checks IDs very
carefully (an unsuprising reality but one which now has a good measure
of proof behind it to base change upon).  'Cracking' the KSP, such as
one could, would be coming up with a fake identity entirely and trying
to get people to sign off on it.  Even that isn't actually all that
*dangerous* until someone grants some privilege based on that signature.
That *isn't* what happened here, and, indeed, being rather well known
(it seems) there would have made it more difficult for him to pull off
than, say, someone off the street.

> > No one 'crack'ed anything here (that we know of anyway) and while
> > not signing his key because of this is reasonable, or even revoking
> > a signature which had been based on this ID, the constant
> > inflammatory claims of Martin being a 'cracker' and how this could
> > lead to other 'cracks' is extreme, insulting, and childish.
>         And I think your attitude is naive, optimistic, and
>  dangerous.  This was a subversion of the KSP. Admittedly, KSP's are
>  fragile, and people get tired, and glassy eyed from looking at too
>  many unfamiliar official looking documents. It takes little social
>  engineering to fool people into signing based on fake documents.

Again, there was no subversion, the information on his ID was accurate.
I'm tired of you blowing things way out of proportion, this being just
the last in a trend you seem to have towards sensationalizing things. :/

>         Admittedly, in the world of cracking this is the equivalent of
>  running off with the handbag of an old lady on crutches, which is why
>  one speculates about where the next crack is headed for.

I disagree with the analogy entirely, but even more so doubt that anyone
but you is speculating about "where the next crack is headed for".  How
you made the leap from presenting a non-gov't ID at a KSP to dangerous
cracker is far beyond me.



Attachment: signature.asc
Description: Digital signature

Reply to: