[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Red team attacks vs. cracking

On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> > > Even the guy at 7-Eleven has the big book of north american ID cards with
> > > pictures and descriptions of what makes a real one for when they
> > > encounter an ID that they've never seen before.
> > How can you check if an ID card is real based only on what is written
> > on the card, even if it has all the hallmarks mentioned in that book?
> If you don't trust the ID, you don't sign the key.  But having the book to be 
> able to get a bad feeling about the ID from sure beats the apparent current 
> system of "Sign the key and hope the ID is for real."

What I mean is, it makes no sense to believe that IDs provide any
real security.  I would rather trust some common sense.  A brief
Google search on the person's name where you look at page 6 and pick
something that the person whose key you're signing should know.

For example, my name is pretty popular, but it's still pretty easy to
pick a reference to me.  Taking a few random links yields:

* an ELinks patch for a bug with xterm detection
=> ask me what was wrong

* a translation of a task from the Polish Olympiad in Informatics,
  the task was authored by me
=> ask me to briefly describe a solution for the task

* a Usenet-to-webforum mirror of r.g.r.nethack with a post about
  "termrec", my enhanced implementation of ttyrec
=> you can assume that the upstream of a piece of software will know
   its inner workings pretty well

Generally, you can learn a few things about the person you're trying
to impersonate, but there is no way you can know everything.  And the
real person can describe things in detail...

Thus, given:
A) someone with a government-issued ID, or
B) someone with a random card that bears a photo: a chess club card,
   a Transnational Republic passport, etc
I see hardly any difference between person A and B.  I would trust
common sense, not any passport.

> > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > can sell you a perfectly valid passport for less than $50.
> > [...]
> > That's about what checking government-issued IDs is worth.
> Perhaps in that part of the world, yes.

Yes, you're right.  In the US, the ID may set me back perhaps even
$100 or more.  And the point is...?

Cheers and schtuff,
1KB		// Microsoft corollary to Hanlon's razor:
		//	Never attribute to stupidity what can be
		//	adequately explained by malice.

Reply to: