Re: Red team attacks vs. cracking
On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> > > Even the guy at 7-Eleven has the big book of north american ID cards with
> > > pictures and descriptions of what makes a real one for when they
> > > encounter an ID that they've never seen before.
> > How can you check if an ID card is real based only on what is written
> > on the card, even if it has all the hallmarks mentioned in that book?
> If you don't trust the ID, you don't sign the key. But having the book to be
> able to get a bad feeling about the ID from sure beats the apparent current
> system of "Sign the key and hope the ID is for real."
What I mean is, it makes no sense to believe that IDs provide any
real security. I would rather trust some common sense. A brief
Google search on the person's name where you look at page 6 and pick
something that the person whose key you're signing should know.
For example, my name is pretty popular, but it's still pretty easy to
pick a reference to me. Taking a few random links yields:
* an ELinks patch for a bug with xterm detection
=> ask me what was wrong
* a translation of a task from the Polish Olympiad in Informatics,
the task was authored by me
=> ask me to briefly describe a solution for the task
* a Usenet-to-webforum mirror of r.g.r.nethack with a post about
"termrec", my enhanced implementation of ttyrec
=> you can assume that the upstream of a piece of software will know
its inner workings pretty well
Generally, you can learn a few things about the person you're trying
to impersonate, but there is no way you can know everything. And the
real person can describe things in detail...
A) someone with a government-issued ID, or
B) someone with a random card that bears a photo: a chess club card,
a Transnational Republic passport, etc
I see hardly any difference between person A and B. I would trust
common sense, not any passport.
> > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > can sell you a perfectly valid passport for less than $50.
> > [...]
> > That's about what checking government-issued IDs is worth.
> Perhaps in that part of the world, yes.
Yes, you're right. In the US, the ID may set me back perhaps even
$100 or more. And the point is...?
Cheers and schtuff,
1KB // Microsoft corollary to Hanlon's razor:
// Never attribute to stupidity what can be
// adequately explained by malice.