On Mon, May 29, 2006 at 02:48:33PM +0200, Wouter Verhelst wrote: > Then there's the issue of tracing who did an actual upload into the real > world. A name on a GPG key is not, by any means, an effective way to do > that, since it does not contain enough information to get out the black > helicopters. Case in point: (...) Useless case, you seem to believe that police officers can only trace and obtain information from people through Google ! I do not know how many cases related to "digital crimes" have you been involved with or know of, so please allow me to enlighten you how it could possiby work: - somebody named X gets a trojan in the Debian archive through a GPG key - SPI (not Debian as it does not have a legal entity in itself) brings the case to a law agency claiming that X has committed a crime - the Police traces X to A, B and C (same names != same people) - the Police gathers evidence that A and B *might* be in possession of the GPG key and might have done the attack (this includes things like information from ISPs linking a telecommunications contract to a name, data from their communication either publicly available or requested to ISPs or servers) - the Police asks for a search warrant, gets into A and B's house and seizes their computers - the Police finds the private key associated with the GPG key in A's computer (maybe even evidences of the trojan itself) Guess who is going to get prosecuted regardless of whether they have the same name? If you think that's science fiction, maybe a tv series plot, or think that law agencies (or judges) are stupid and cannot gather evidence for a case in the digital age then think again  Law agencies (in many countries) have enough budget and laws backing them to do that (and more). Given enough damage done by X (=A) through the trojan introduced in the archive or enough money layed down by SPI you bet there would be a thorough investigation of the case. Regards Javier  Virus and worm writers have been busted with even less information (when the investigation started) than the information I leak while writting this e-mail.
Description: Digital signature