[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trouble becoming a member

On Tue, Sep 17, 2002 at 02:42:22PM -0500, Steve Langasek wrote:
> On Tue, Sep 17, 2002 at 01:07:59PM -0600, Joel Baker wrote:
> > Visual identification of the applicant isn't terribly meaningful; all it
> > establishes is that they have a card with their picture on it. It says
> > nothing about the veracity of that card, which is where the attack is in
> > that case. However, see below.
> Let me put it another way: they can forge their ID, but it's hard to
> forge their face.  With a face-to-face meeting, if the person DOES have
> ulterior motives, we now have a much better chance of bringing them to
> justice afterwards than if both their identity and their face were
> unknown to us.

A forged ID can have any face on it you wish; that's sort of the point.
Sufficient disguise to fool someone face to face is even more trivial than
a fake ID. If someone's going to bother, spending $50 or less in materials
(or even a couple of hundred, for a completely nwe kit) isn't going to
bother them.

Again, if you're going to presume that there is an active attack, you have
to presume that the attacker places value on the result, and as such, is
willing to put both time and money into it.

However, we're now, IMO, wandering into the realm of paranoia beyond what
is reasonable. Someone REALLY wanting to Hack Debian(tm) is more likely to
try to hack or social-engineer their way into a position of compromising an
existing DD's key.

> > > Most people don't get signed into the ring by people from far distant
> > > lands (say, California), either; the web is large enough now that
> > > familiarity with the IDs of your own state, and possibly your neighboring
> > > states, should be enough to prevent mere $1,000 forgeries.  And when NMs
> > > can expect to spend maybe half a year in the queue anyway, the
> > > "reasonable effort" to contact a local DD should include a corresponding
> > > increase in effort to be considered reasonable.
> > This, I will grant, with one caveat: the question of whether DDs actually
> > do know this, and whether they are actively aware of it. They should be -
> > but are they? (And is this, perhaps, something to be noted in the FAQs, if
> > not?)
> Yes, making sure that our developers are well-educated is always a
> concern.

Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

Attachment: pgphTKZLkxG33.pgp
Description: PGP signature

Reply to: